TW
Tripwire
Find contracts. Test them. Review real vulns.

Analysis Run

44ee9813-c4f7-46e4-a7f8-9fc3c774abbb

complete
Chain ID
1
Address
0xa327075af2a223a1c83a36ada1126afe7430f955
Block Number
Created
Sat, Jan 3, 2026 1:07 AM
Review Summary

What survived the funnel

Open this run to answer one question: is this real attacker-relevant behavior with real impact, or just normal contract plumbing?

back to vulns open contract
Confirmed
0
Validated
0
Source
Verified
Review Backing
Not yet
Best current signal
Untrusted CALL target/value reachable
crit 0 high 0 direct contract
Review Checklist
1. Read the findings table first. Ignore raw jobs until the result looks real.
2. Confirm attacker control, not just the existence of a sink.
3. Confirm money or privilege impact.
4. Keep it if the behavior is real. Kill it if this is normal proxy, admin, or upgrade plumbing.

Processing Jobs

Status & attempts
ID Type Status Attempts Heartbeat
31412 report.consolidate complete 1 / 1 3 months ago
77098 artifact.fetch complete 1 / 3 2 weeks ago
77099 tool.cast_disasm complete 1 / 3 2 weeks ago
77100 analysis.bundle complete 1 / 3 2 weeks ago
77101 capability.graph complete 1 / 3 2 weeks ago
77102 detector.run complete 1 / 3 2 weeks ago
77103 validation.fork complete 1 / 3 2 weeks ago

Artifact

Runtime bytecode: available
Creation TX:
Deployer:
Proxy: no
Implementation:
Verified Source: yes

Slither

tool.slither

No slither job recorded yet.

Codex

report.consolidate
Job Status
complete
Attempts
1 / 1
Findings
0
No findings?
yes
Summary
Reviewed the runtime bytecode bundle and did not find a concrete, exploitable path to extract ETH/tokens/NFTs without following the intended payout logic; no delegatecall/proxy/selfdestruct or privileged withdraw paths are visible in the bytecode alone.
View stderr 
[codex:54] OpenAI Codex v0.77.0 (research preview)
[codex:54] --------
[codex:54] workdir: /tmp/codex-multi-ycn50ilf
[codex:54] model: gpt-5.2-codex
[codex:54] provider: openai
[codex:54] approval: never
[codex:54] sandbox: read-only
[codex:54] reasoning effort: xhigh
[codex:54] reasoning summaries: auto
[codex:54] session id: 019b815f-8b04-7383-a0b9-4afd8689fd0a
[codex:54] --------
[codex:54] user
[codex:54] You are a profit-focused exploit hunter analyzing EVM bytecode. Your ONLY goal is finding ways to extract value (ETH, tokens, NFTs) from this contract.
[codex:54] 
[codex:54] Read `BYTECODE_BUNDLE.txt` completely before concluding.
[codex:54] 
[codex:54] ONLY REPORT if you find a CONCRETE, EXPLOITABLE path to profit. We do NOT care about:
[codex:54] - Gas inefficiency, code quality, or best practices
[codex:54] - Theoretical vulnerabilities without a clear extraction path
[codex:54] - Generic footguns (unchecked return values, etc.) unless they enable theft
[codex:54] - Issues requiring social engineering or off-chain coordination
[codex:54] 
[codex:54] PATTERNS WORTH INVESTIGATING in bytecode:
[codex:54] - CALL/DELEGATECALL with controllable destination or calldata
[codex:54] - Value transfers (CALL with non-zero value) without prior CALLER/ORIGIN checks
[codex:54] - SSTORE to low slots (0-10) that might be owner/admin storage
[codex:54] - ecrecover (signature validation) - look for missing nonce/replay protection
[codex:54] - External calls before state updates (reentrancy)
[codex:54] - SELFDESTRUCT with controllable beneficiary
[codex:54] - Proxy patterns (DELEGATECALL to storage slot) with unprotected upgrade paths
[codex:54] 
[codex:54] For each finding, you MUST explain:
[codex:54] 1. The specific bytecode pattern/offsets that indicate the vulnerability
[codex:54] 2. The concrete sequence of transactions to extract value
[codex:54] 3. Why you believe this is exploitable (not just suspicious)
[codex:54] 
[codex:54] If you cannot identify a concrete profit path from bytecode alone: set no_findings=true.
[codex:54] Do NOT hallucinate. Bytecode-only analysis is limited - be honest about uncertainty.
[codex:54] 
[codex:54] Output MUST be valid JSON matching the provided schema.
[codex:54] - severity: info, low, medium, high, critical (use high/critical ONLY for clear extraction paths)
[codex:54] - category: access_control, reentrancy, math, oracle, upgradeability, auth, other
[codex:54] mcp startup: no servers
[codex:54] 
[codex:54] thinking
[codex:54] **Preparing to read BYTECODE_BUNDLE.txt**
[codex:54] exec
[codex:54] /bin/bash -lc ls in /tmp/codex-multi-ycn50ilf succeeded in 5ms:
[codex:54] BYTECODE_BUNDLE.txt
[codex:54] codex-output-schema.json
[codex:54] exec
[codex:54] /bin/bash -lc 'cat BYTECODE_BUNDLE.txt' in /tmp/codex-multi-ycn50ilf succeeded in 6ms:
[codex:54] Runtime bytecode bundle for best-effort auditing.
[codex:54] Note: without verified source, conclusions are low-confidence unless a concrete pattern is visible.
[codex:54] 
[codex:54] FILE: runtime_bytecode.hex
[codex:54] 0x6060604052361561001f5760e060020a600035046372ea4b8c811461010c575b61011b3460008080678ac7230489e8000084106101d557600180548101908190556003805433929081101561000257906000526020600020900160006101000a815481600160a060020a0302191690830217905550678ac7230489e80000840393508350678ac7230489e800006000600082828250540192505081905550600260016000505411151561011d5760038054829081101561000257906000526020600020900160009054906101000a9004600160a060020a0316600160a060020a03166000600060005054604051809050600060405180830381858888f150505080555060016002556101d5565b60018054016060908152602090f35b005b60018054600354910114156101d55760038054600254600101909102900392505b6003546002549003600119018310156101e357600380548490811015610002579082526040517fc2575a0e9e593c00f959f8c92f12db2869c3395a3b0502d05e2516446f71f85b9190910154600160a060020a0316908290674563918244f400009082818181858883f150509054674563918244f3ffff1901835550506001929092019161013e565b505060028054600101905550505b600080548501905550505050565b506002548154919250600190810190910460001901905b60035460025490036001190183101561029a576003805484908110156100025760009182526040517fc2575a0e9e593c00f959f8c92f12db2869c3395a3b0502d05e2516446f71f85b9190910154600160a060020a03169190838504600019019082818181858883f1505081548486049003600190810190925550600290830183020460001901841415905061028e576001015b600192909201916101fa565b60038054600254810182018083559190829080158290116101c75760008390526101c7907fc2575a0e9e593c00f959f8c92f12db2869c3395a3b0502d05e2516446f71f85b9081019083015b808211156102fa57600081556001016102e6565b509056
[codex:54] 
[codex:54] thinking
[codex:54] **Preparing to analyze bytecode**
[codex:54] exec
[codex:54] /bin/bash -lc "python - <<'PY'
[codex:54] import binascii
[codex:54] code=open('BYTECODE_BUNDLE.txt').read().splitlines()
[codex:54] hexline=''
[codex:54] for line in code:
[codex:54]     if line.startswith('0x'):
[codex:54]         hexline=line.strip()[2:]
[codex:54]         break
[codex:54] if not hexline:
[codex:54]     import re
[codex:54]     m=re.search(r'0x([0-9a-fA-F]+)',open('BYTECODE_BUNDLE.txt').read())
[codex:54]     hexline=m.group(1)
[codex:54] 
[codex:54] ops={
[codex:54] 0x00:'STOP',0x01:'ADD',0x02:'MUL',0x03:'SUB',0x04:'DIV',0x05:'SDIV',0x06:'MOD',0x07:'SMOD',0x08:'ADDMOD',0x09:'MULMOD',0x0a:'EXP',0x0b:'SIGNEXTEND',
[codex:54] 0x10:'LT',0x11:'GT',0x12:'SLT',0x13:'SGT',0x14:'EQ',0x15:'ISZERO',0x16:'AND',0x17:'OR',0x18:'XOR',0x19:'NOT',0x1a:'BYTE',0x1b:'SHL',0x1c:'SHR',0x1d:'SAR',
[codex:54] 0x20:'SHA3',
[codex:54] 0x30:'ADDRESS',0x31:'BALANCE',0x32:'ORIGIN',0x33:'CALLER',0x34:'CALLVALUE',0x35:'CALLDATALOAD',0x36:'CALLDATASIZE',0x37:'CALLDATACOPY',0x38:'CODESIZE',0x39:'CODECOPY',0x3a:'GASPRICE',0x3b:'EXTCODESIZE',0x3c:'EXTCODECOPY',0x3d:'RETURNDATASIZE',0x3e:'RETURNDATACOPY',0x3f:'EXTCODEHASH',
[codex:54] 0x40:'BLOCKHASH',0x41:'COINBASE',0x42:'TIMESTAMP',0x43:'NUMBER',0x44:'DIFFICULTY',0x45:'GASLIMIT',0x46:'CHAINID',0x47:'SELFBALANCE',0x48:'BASEFEE',
[codex:54] 0x50:'POP',0x51:'MLOAD',0x52:'MSTORE',0x53:'MSTORE8',0x54:'SLOAD',0x55:'SSTORE',0x56:'JUMP',0x57:'JUMPI',0x58:'PC',0x59:'MSIZE',0x5a:'GAS',0x5b:'JUMPDEST',
[codex:54] 0x60:'PUSH1',0x61:'PUSH2',0x62:'PUSH3',0x63:'PUSH4',0x64:'PUSH5',0x65:'PUSH6',0x66:'PUSH7',0x67:'PUSH8',0x68:'PUSH9',0x69:'PUSH10',0x6a:'PUSH11',0x6b:'PUSH12',0x6c:'PUSH13',0x6d:'PUSH14',0x6e:'PUSH15',0x6f:'PUSH16',0x70:'PUSH17',0x71:'PUSH18',0x72:'PUSH19',0x73:'PUSH20',0x74:'PUSH21',0x75:'PUSH22',0x76:'PUSH23',0x77:'PUSH24',0x78:'PUSH25',0x79:'PUSH26',0x7a:'PUSH27',0x7b:'PUSH28',0x7c:'PUSH29',0x7d:'PUSH30',0x7e:'PUSH31',0x7f:'PUSH32',
[codex:54] 0x80:'DUP1',0x81:'DUP2',0x82:'DUP3',0x83:'DUP4',0x84:'DUP5',0x85:'DUP6',0x86:'DUP7',0x87:'DUP8',0x88:'DUP9',0x89:'DUP10',0x8a:'DUP11',0x8b:'DUP12',0x8c:'DUP13',0x8d:'DUP14',0x8e:'DUP15',0x8f:'DUP16',
[codex:54] 0x90:'SWAP1',0x91:'SWAP2',0x92:'SWAP3',0x93:'SWAP4',0x94:'SWAP5',0x95:'SWAP6',0x96:'SWAP7',0x97:'SWAP8',0x98:'SWAP9',0x99:'SWAP10',0x9a:'SWAP11',0x9b:'SWAP12',0x9c:'SWAP13',0x9d:'SWAP14',0x9e:'SWAP15',0x9f:'SWAP16',
[codex:54] 0xa0:'LOG0',0xa1:'LOG1',0xa2:'LOG2',0xa3:'LOG3',0xa4:'LOG4',
[codex:54] 0xf0:'CREATE',0xf1:'CALL',0xf2:'CALLCODE',0xf3:'RETURN',0xf4:'DELEGATECALL',0xf5:'CREATE2',0xfa:'STATICCALL',0xfd:'REVERT',0xfe:'INVALID',0xff:'SELFDESTRUCT'
[codex:54] }
[codex:54] 
[codex:54] code_bytes=bytes.fromhex(hexline)
[codex:54] 
[codex:54] # disassemble linear with offsets
[codex:54] pc=0
[codex:54] while pc < len(code_bytes):
[codex:54]     op=code_bytes[pc]
[codex:54]     name=ops.get(op, f'UNKNOWN_{op:02x}')
[codex:54]     pc0=pc
[codex:54]     pc+=1
[codex:54]     if 0x60 <= op <= 0x7f:
[codex:54]         n=op-0x5f
[codex:54]         data=code_bytes[pc:pc+n]
[codex:54]         pc+=n
[codex:54]         print(f\"{pc0:04x}: {name} 0x{data.hex()}\")
[codex:54]     else:
[codex:54]         print(f\"{pc0:04x}: {name}\")
[codex:54] PY" in /tmp/codex-multi-ycn50ilf succeeded in 32ms:
[codex:54] 0000: PUSH1 0x60
[codex:54] 0002: PUSH1 0x40
[codex:54] 0004: MSTORE
[codex:54] 0005: CALLDATASIZE
[codex:54] 0006: ISZERO
[codex:54] 0007: PUSH2 0x001f
[codex:54] 000a: JUMPI
[codex:54] 000b: PUSH1 0xe0
[codex:54] 000d: PUSH1 0x02
[codex:54] 000f: EXP
[codex:54] 0010: PUSH1 0x00
[codex:54] 0012: CALLDATALOAD
[codex:54] 0013: DIV
[codex:54] 0014: PUSH4 0x72ea4b8c
[codex:54] 0019: DUP2
[codex:54] 001a: EQ
[codex:54] 001b: PUSH2 0x010c
[codex:54] 001e: JUMPI
[codex:54] 001f: JUMPDEST
[codex:54] 0020: PUSH2 0x011b
[codex:54] 
[codex:54] thinking
[codex:54] **Analyzing contract entry and fallback functions**
[codex:54] exec
[codex:54] /bin/bash -lc "python - <<'PY'
[codex:54] print(int('8ac7230489e80000',16))
[codex:54] print(int('4563918244f40000',16))
[codex:54] print(int('4563918244f3ffff',16))
[codex:54] PY" in /tmp/codex-multi-ycn50ilf succeeded in 16ms:
[codex:54] 10000000000000000000
[codex:54] 5000000000000000000
[codex:54] 4999999999999999999
[codex:54] 
[codex:54] 
[codex:54] thinking
[codex:54] **Examining Ethereum pyramid contract for exploits**
[codex:54] thinking
[codex:54] **Building a symbolic stack interpreter to decode calls**
[codex:54] 
[codex:54] I’m planning to symbolically track stack expressions—especially around CALL instructions—to clarify parameters like recipient and value. This approach helps unravel how payouts and calls fit into the contract’s logic and whether reentrancy or other exploits are feasible. Let’s explore how constants, calldata construction, and storage use factor into those calls.
[codex:54] exec
[codex:54] /bin/bash -lc "python - <<'PY'
[codex:54] import sha3
[codex:54] val=(3).to_bytes(32,'big')
[codex:54] print(sha3.keccak_256(val).hexdigest())
[codex:54] PY" in /tmp/codex-multi-ycn50ilf exited 1 in 30ms:
[codex:54] Traceback (most recent call last):
[codex:54]   File "<stdin>", line 1, in <module>
[codex:54] ModuleNotFoundError: No module named 'sha3'
[codex:54] 
[codex:54] thinking
[codex:54] **Considering SHA3 alternatives**
[codex:54] exec
[codex:54] /bin/bash -lc "python - <<'PY'
[codex:54] import hashlib
[codex:54] val=(3).to_bytes(32,'big')
[codex:54] print(hashlib.sha3_256(val).hexdigest())
[codex:54] PY" in /tmp/codex-multi-ycn50ilf succeeded in 21ms:
[codex:54] 7dacfcae411155045f21875896030db1c68db09631b4a188d89a3981aaaf038a
[codex:54] 
[codex:54] 
[codex:54] thinking
[codex:54] **Analyzing keccak256 constants and storage layout**
[codex:54] thinking
[codex:54] **Implementing symbolic EVM interpreter with path selection**
[codex:54] exec
[codex:54] /bin/bash -lc "python - <<'PY'
[codex:54] import re
[codex:54] from collections import defaultdict
[codex:54] 
[codex:54] # load hex code
[codex:54] text=open('BYTECODE_BUNDLE.txt').read()
[codex:54] hexline=re.search(r'0x([0-9a-fA-F]+)',text).group(1)
[codex:54] code=bytes.fromhex(hexline)
[codex:54] 
[codex:54] # disassemble list of (pc, op, data)
[codex:54] ops={
[codex:54] 0x00:'STOP',0x01:'ADD',0x02:'MUL',0x03:'SUB',0x04:'DIV',0x05:'SDIV',0x06:'MOD',0x07:'SMOD',0x08:'ADDMOD',0x09:'MULMOD',0x0a:'EXP',0x0b:'SIGNEXTEND',
[codex:54] 0x10:'LT',0x11:'GT',0x12:'SLT',0x13:'SGT',0x14:'EQ',0x15:'ISZERO',0x16:'AND',0x17:'OR',0x18:'XOR',0x19:'NOT',0x1a:'BYTE',0x1b:'SHL',0x1c:'SHR',0x1d:'SAR',
[codex:54] 0x20:'SHA3',
[codex:54] 0x30:'ADDRESS',0x31:'BALANCE',0x32:'ORIGIN',0x33:'CALLER',0x34:'CALLVALUE',0x35:'CALLDATALOAD',0x36:'CALLDATASIZE',0x37:'CALLDATACOPY',0x38:'CODESIZE',0x39:'CODECOPY',0x3a:'GASPRICE',0x3b:'EXTCODESIZE',0x3c:'EXTCODECOPY',0x3d:'RETURNDATASIZE',0x3e:'RETURNDATACOPY',0x3f:'EXTCODEHASH',
[codex:54] 0x40:'BLOCKHASH',0x41:'COINBASE',0x42:'TIMESTAMP',0x43:'NUMBER',0x44:'DIFFICULTY',0x45:'GASLIMIT',0x46:'CHAINID',0x47:'SELFBALANCE',0x48:'BASEFEE',
[codex:54] 0x50:'POP',0x51:'MLOAD',0x52:'MSTORE',0x53:'MSTORE8',0x54:'SLOAD',0x55:'SSTORE',0x56:'JUMP',0x57:'JUMPI',0x58:'PC',0x59:'MSIZE',0x5a:'GAS',0x5b:'JUMPDEST',
[codex:54] 0x60:'PUSH1',0x61:'PUSH2',0x62:'PUSH3',0x63:'PUSH4',0x64:'PUSH5',0x65:'PUSH6',0x66:'PUSH7',0x67:'PUSH8',0x68:'PUSH9',0x69:'PUSH10',0x6a:'PUSH11',0x6b:'PUSH12',0x6c:'PUSH13',0x6d:'PUSH14',0x6e:'PUSH15',0x6f:'PUSH16',0x70:'PUSH17',0x71:'PUSH18',0x72:'PUSH19',0x73:'PUSH20',0x74:'PUSH21',0x75:'PUSH22',0x76:'PUSH23',0x77:'PUSH24',0x78:'PUSH25',0x79:'PUSH26',0x7a:'PUSH27',0x7b:'PUSH28',0x7c:'PUSH29',0x7d:'PUSH30',0x7e:'PUSH31',0x7f:'PUSH32',
[codex:54] 0x80:'DUP1',0x81:'DUP2',0x82:'DUP3',0x83:'DUP4',0x84:'DUP5',0x85:'DUP6',0x86:'DUP7',0x87:'DUP8',0x88:'DUP9',0x89:'DUP10',0x8a:'DUP11',0x8b:'DUP12',0x8c:'DUP13',0x8d:'DUP14',0x8e:'DUP15',0x8f:'DUP16',
[codex:54] 0x90:'SWAP1',0x91:'SWAP2',0x92:'SWAP3',0x93:'SWAP4',0x94:'SWAP5',0x95:'SWAP6',0x96:'SWAP7',0x97:'SWAP8',0x98:'SWAP9',0x99:'SWAP10',0x9a:'SWAP11',0x9b:'SWAP12',0x9c:'SWAP13',0x9d:'SWAP14',0x9e:'SWAP15',0x9f:'SWAP16',
[codex:54] 0xa0:'LOG0',0xa1:'LOG1',0xa2:'LOG2',0xa3:'LOG3',0xa4:'LOG4',
[codex:54] 0xf0:'CREATE',0xf1:'CALL',0xf2:'CALLCODE',0xf3:'RETURN',0xf4:'DELEGATECALL',0xf5:'CREATE2',0xfa:'STATICCALL',0xfd:'REVERT',0xfe:'INVALID',0xff:'SELFDESTRUCT'
[codex:54] }
[codex:54] 
[codex:54] # Build map of pc->(op, data)
[codex:54] insns={}
[codex:54] pc=0
[codex:54] while pc<len(code):
[codex:54]     op=code[pc]
[codex:54]     name=ops.get(op, f'UNKNOWN_{op:02x}')
[codex:54]     pc0=pc
[codex:54]     pc+=1
[codex:54]     data=None
[codex:54]     if 0x60<=op<=0x7f:
[codex:54]         n=op-0x5f
[codex:54]         data=code[pc:pc+n]
[codex:54]         pc+=n
[codex:54]     insns[pc0]=(name,data)
[codex:54] 
[codex:54] # Simple symbolic interpreter
[codex:54] from dataclasses import dataclass
[codex:54] 
[codex:54] @dataclass
[codex:54] class State:
[codex:54]     pc:int
[codex:54]     stack:list
[codex:54]     mem:dict
[codex:54] 
[codex:54] 
[codex:54] def expr(op,*args):
[codex:54]     if op=='const':
[codex:54]         return args[0]
[codex:54]     return f\"{op}({', '.join(args)})\"
[codex:54] 
[codex:54] # choose path decisions
[codex:54] # We'll assume msg.value >= 10 (so JUMPI at 0x1b not taken)
[codex:54] # For other JUMPI, we'll take the fall-through by default unless specified.
[codex:54] 
[codex:54] # Let's run until we hit first CALL or a max steps
[codex:54] state=State(pc=0x20, stack=[], mem={})
[codex:54] visited=set()
[codex:54] steps=0
[codex:54] 
[codex:54] # Preload stack? At entry fallback, stack empty.
[codex:54] 
[codex:54] # decisions map: pc -> take_jump (True/False)
[codex:54] # for JUMPI at 0x1b (pc 0x1b?) actual at 0x1b: PUSH2 0x010c JUMPI; but we start at fallback after selector? hmm.
[codex:54] 
[codex:54] # We will process sequentially and handle JUMP/JUMPI by setting pc accordingly (no call/return support). We'll approximate.
[codex:54] 
[codex:54] def pop(state):
[codex:54]     return state.stack.pop() if state.stack else 'STACK_UNDERFLOW'
[codex:54] 
[codex:54] def push(state, val):
[codex:54]     state.stack.append(val)
[codex:54] 
[codex:54] 
[codex:54] def debug_stack(state, note=''):
[codex:54]     print(f\"PC {state.pc:04x} {note} stack: {state.stack}\")
[codex:54] 
[codex:54] # We'll manually control branch decisions based on condition names if present.
[codex:54] 
[codex:54] # We'll store last_cond_expr
[codex:54] last_cond=None
[codex:54] 
[codex:54] while steps<500:
[codex:54]     if state.pc not in insns:
[codex:54]         print('pc not in insns', state.pc)
[codex:54]         break
[codex:54]     name,data=insns[state.pc]
[codex:54]     steps+=1
[codex:54]     # print instruction
[codex:54]     # print(f\"{state.pc:04x} {name} {data.hex() if data else ''}\")
[codex:54]     state.pc_next=state.pc+1
[codex:54]     if name.startswith('PUSH'):
[codex:54]         push(state, f\"0x{data.hex()}\")
[codex:54]     elif name.startswith('DUP'):
[codex:54]         n=int(name[3:])
[codex:54]         push(state, state.stack[-n])
[codex:54]     elif name.startswith('SWAP'):
[codex:54]         n=int(name[4:])
[codex:54]         # swap top with nth below (1-indexed)
[codex:54]         if len(state.stack)>=n+1:
[codex:54]             state.stack[-1], state.stack[-1-n] = state.stack[-1-n], state.stack[-1]
[codex:54]         else:
[codex:54]             print('swap underflow')
[codex:54]             break
[codex:54]     elif name=='POP':
[codex:54]         pop(state)
[codex:54]     elif name=='CALLVALUE':
[codex:54]         push(state, 'msg.value')
[codex:54]     elif name=='CALLER':
[codex:54]         push(state, 'msg.sender')
[codex:54]     elif name=='SLOAD':
[codex:54]         key=pop(state)
[codex:54]         push(state, f\"SLOAD[{key}]\")
[codex:54]     elif name=='SSTORE':
[codex:54]         val=pop(state); key=pop(state)
[codex:54]         # store not tracked
[codex:54]         push(state, f\"SSTORE({key},{val})\")
[codex:54]     elif name=='MSTORE':
[codex:54]         val=pop(state); off=pop(state)
[codex:54]         state.mem[off]=val
[codex:54]     elif name=='MLOAD':
[codex:54]         off=pop(state)
[codex:54]         push(state, f\"MLOAD[{off}]\")
[codex:54]     elif name=='SHA3':
[codex:54]         size=pop(state); off=pop(state)
[codex:54]         push(state, f\"KECCAK({off},{size})\")
[codex:54]     elif name in ('ADD','SUB','MUL','DIV','EXP','AND','OR','LT','GT','EQ','ISZERO','NOT'):
[codex:54]         if name=='ISZERO' or name=='NOT':
[codex:54]             a=pop(state)
[codex:54]             push(state, f\"{name}({a})\")
[codex:54]         else:
[codex:54]             b=pop(state); a=pop(state)
[codex:54]             push(state, f\"{name}({a},{b})\")
[codex:54]     elif name=='JUMPI':
[codex:54]         dest=pop(state); cond=pop(state)
[codex:54]         last_cond=cond
[codex:54]         # decide based on cond string; for first JUMPI (msg.value < 10), we want false
[codex:54]         take=False
[codex:54]         if 'LT(msg.value,0x8ac7230489e80000)' in cond:
[codex:54]             take=False
[codex:54]         # else default False to follow fallthrough
[codex:54]         if take:
[codex:54]             state.pc=int(dest,16)
[codex:54]         else:
[codex:54]             state.pc=state.pc+1
[codex:54]         continue
[codex:54]     elif name=='JUMP':
[codex:54]         dest=pop(state)
[codex:54]         # if dest is hex, jump
[codex:54]         if isinstance(dest,str) and dest.startswith('0x'):
[codex:54]             state.pc=int(dest,16)
[codex:54]         else:
[codex:54]             print('dynamic jump', dest)
[codex:54]             break
[codex:54]         continue
[codex:54]     elif name=='CALL':
[codex:54]         # capture args
[codex:54]         out_size=pop(state); out_off=pop(state); in_size=pop(state); in_off=pop(state); value=pop(state); to=pop(state); gas=pop(state)
[codex:54]         print('\\nCALL at', hex(state.pc))
[codex:54]         print(' gas', gas)
[codex:54]         print(' to', to)
[codex:54]         print(' value', value)
[codex:54]         print(' in_off', in_off, 'in_size', in_size, 'out_off', out_off, 'out_size', out_size)
[codex:54]         # push success
[codex:54]         push(state, 'CALL_SUCCESS')
[codex:54]     elif name=='STOP' or name=='RETURN' or name=='REVERT' or name=='INVALID':
[codex:54]         print('halt', name, 'at', hex(state.pc))
[codex:54]         break
[codex:54]     else:
[codex:54]         # for unhandled ops, just note
[codex:54]         pass
[codex:54]     state.pc +=1
[codex:54] 
[codex:54] PY" in /tmp/codex-multi-ycn50ilf succeeded in 39ms:
[codex:54] pc not in insns 33
[codex:54] 
[codex:54] thinking
[codex:54] **Adjusting instruction pointer logic**
[codex:54] exec
[codex:54] /bin/bash -lc "python - <<'PY'
[codex:54] import re
[codex:54] from collections import defaultdict
[codex:54] 
[codex:54] text=open('BYTECODE_BUNDLE.txt').read()
[codex:54] hexline=re.search(r'0x([0-9a-fA-F]+)',text).group(1)
[codex:54] code=bytes.fromhex(hexline)
[codex:54] 
[codex:54] ops={
[codex:54] 0x00:'STOP',0x01:'ADD',0x02:'MUL',0x03:'SUB',0x04:'DIV',0x05:'SDIV',0x06:'MOD',0x07:'SMOD',0x08:'ADDMOD',0x09:'MULMOD',0x0a:'EXP',0x0b:'SIGNEXTEND',
[codex:54] 0x10:'LT',0x11:'GT',0x12:'SLT',0x13:'SGT',0x14:'EQ',0x15:'ISZERO',0x16:'AND',0x17:'OR',0x18:'XOR',0x19:'NOT',0x1a:'BYTE',0x1b:'SHL',0x1c:'SHR',0x1d:'SAR',
[codex:54] 0x20:'SHA3',
[codex:54] 0x30:'ADDRESS',0x31:'BALANCE',0x32:'ORIGIN',0x33:'CALLER',0x34:'CALLVALUE',0x35:'CALLDATALOAD',0x36:'CALLDATASIZE',0x37:'CALLDATACOPY',0x38:'CODESIZE',0x39:'CODECOPY',0x3a:'GASPRICE',0x3b:'EXTCODESIZE',0x3c:'EXTCODECOPY',0x3d:'RETURNDATASIZE',0x3e:'RETURNDATACOPY',0x3f:'EXTCODEHASH',
[codex:54] 0x40:'BLOCKHASH',0x41:'COINBASE',0x42:'TIMESTAMP',0x43:'NUMBER',0x44:'DIFFICULTY',0x45:'GASLIMIT',0x46:'CHAINID',0x47:'SELFBALANCE',0x48:'BASEFEE',
[codex:54] 0x50:'POP',0x51:'MLOAD',0x52:'MSTORE',0x53:'MSTORE8',0x54:'SLOAD',0x55:'SSTORE',0x56:'JUMP',0x57:'JUMPI',0x58:'PC',0x59:'MSIZE',0x5a:'GAS',0x5b:'JUMPDEST',
[codex:54] 0x60:'PUSH1',0x61:'PUSH2',0x62:'PUSH3',0x63:'PUSH4',0x64:'PUSH5',0x65:'PUSH6',0x66:'PUSH7',0x67:'PUSH8',0x68:'PUSH9',0x69:'PUSH10',0x6a:'PUSH11',0x6b:'PUSH12',0x6c:'PUSH13',0x6d:'PUSH14',0x6e:'PUSH15',0x6f:'PUSH16',0x70:'PUSH17',0x71:'PUSH18',0x72:'PUSH19',0x73:'PUSH20',0x74:'PUSH21',0x75:'PUSH22',0x76:'PUSH23',0x77:'PUSH24',0x78:'PUSH25',0x79:'PUSH26',0x7a:'PUSH27',0x7b:'PUSH28',0x7c:'PUSH29',0x7d:'PUSH30',0x7e:'PUSH31',0x7f:'PUSH32',
[codex:54] 0x80:'DUP1',0x81:'DUP2',0x82:'DUP3',0x83:'DUP4',0x84:'DUP5',0x85:'DUP6',0x86:'DUP7',0x87:'DUP8',0x88:'DUP9',0x89:'DUP10',0x8a:'DUP11',0x8b:'DUP12',0x8c:'DUP13',0x8d:'DUP14',0x8e:'DUP15',0x8f:'DUP16',
[codex:54] 0x90:'SWAP1',0x91:'SWAP2',0x92:'SWAP3',0x93:'SWAP4',0x94:'SWAP5',0x95:'SWAP6',0x96:'SWAP7',0x97:'SWAP8',0x98:'SWAP9',0x99:'SWAP10',0x9a:'SWAP11',0x9b:'SWAP12',0x9c:'SWAP13',0x9d:'SWAP14',0x9e:'SWAP15',0x9f:'SWAP16',
[codex:54] 0xa0:'LOG0',0xa1:'LOG1',0xa2:'LOG2',0xa3:'LOG3',0xa4:'LOG4',
[codex:54] 0xf0:'CREATE',0xf1:'CALL',0xf2:'CALLCODE',0xf3:'RETURN',0xf4:'DELEGATECALL',0xf5:'CREATE2',0xfa:'STATICCALL',0xfd:'REVERT',0xfe:'INVALID',0xff:'SELFDESTRUCT'
[codex:54] }
[codex:54] 
[codex:54] # Build map of pc->(op, data, next_pc)
[codex:54] insns={}
[codex:54] pc=0
[codex:54] while pc<len(code):
[codex:54]     op=code[pc]
[codex:54]     name=ops.get(op, f'UNKNOWN_{op:02x}')
[codex:54]     pc0=pc
[codex:54]     pc+=1
[codex:54]     data=None
[codex:54]     if 0x60<=op<=0x7f:
[codex:54]         n=op-0x5f
[codex:54]         data=code[pc:pc+n]
[codex:54]         pc+=n
[codex:54]     insns[pc0]=(name,data,pc)
[codex:54] 
[codex:54] from dataclasses import dataclass
[codex:54] @dataclass
[codex:54] class State:
[codex:54]     pc:int
[codex:54]     stack:list
[codex:54]     mem:dict
[codex:54] 
[codex:54] 
[codex:54] def pop(state):
[codex:54]     if not state.stack:
[codex:54]         return 'STACK_UNDERFLOW'
[codex:54]     return state.stack.pop()
[codex:54] 
[codex:54] def push(state, val):
[codex:54]     state.stack.append(val)
[codex:54] 
[codex:54] # Choose branches: if cond includes LT(msg.value,0x8ac7230489e80000) => take false
[codex:54] # For other JUMPI, default to not taking jump (fallthrough)
[codex:54] 
[codex:54] state=State(pc=0x1f, stack=[], mem={})
[codex:54] steps=0
[codex:54] 
[codex:54] while steps<600:
[codex:54]     if state.pc not in insns:
[codex:54]         print('pc not in insns', state.pc)
[codex:54]         break
[codex:54]     name,data,next_pc=insns[state.pc]
[codex:54]     steps+=1
[codex:54] 
[codex:54]     if name.startswith('PUSH'):
[codex:54]         push(state, f\"0x{data.hex()}\")
[codex:54]     elif name.startswith('DUP'):
[codex:54]         n=int(name[3:])
[codex:54]         push(state, state.stack[-n])
[codex:54]     elif name.startswith('SWAP'):
[codex:54]         n=int(name[4:])
[codex:54]         if len(state.stack)>=n+1:
[codex:54]             state.stack[-1], state.stack[-1-n]=state.stack[-1-n], state.stack[-1]
[codex:54]         else:
[codex:54]             print('swap underflow')
[codex:54]             break
[codex:54]     elif name=='POP':
[codex:54]         pop(state)
[codex:54]     elif name=='CALLVALUE':
[codex:54]         push(state, 'msg.value')
[codex:54]     elif name=='CALLER':
[codex:54]         push(state, 'msg.sender')
[codex:54]     elif name=='SLOAD':
[codex:54]         key=pop(state)
[codex:54]         push(state, f\"SLOAD[{key}]\")
[codex:54]     elif name=='SSTORE':
[codex:54]         val=pop(state); key=pop(state)
[codex:54]         push(state, f\"SSTORE({key},{val})\")
[codex:54]     elif name=='MSTORE':
[codex:54]         val=pop(state); off=pop(state)
[codex:54]         state.mem[off]=val
[codex:54]     elif name=='MLOAD':
[codex:54]         off=pop(state)
[codex:54]         push(state, f\"MLOAD[{off}]\")
[codex:54]     elif name=='SHA3':
[codex:54]         size=pop(state); off=pop(state)
[codex:54]         push(state, f\"KECCAK({off},{size})\")
[codex:54]     elif name in ('ADD','SUB','MUL','DIV','EXP','AND','OR','LT','GT','EQ','ISZERO','NOT'):
[codex:54]         if name in ('ISZERO','NOT'):
[codex:54]             a=pop(state)
[codex:54]             push(state, f\"{name}({a})\")
[codex:54]         else:
[codex:54]             b=pop(state); a=pop(state)
[codex:54]             push(state, f\"{name}({a},{b})\")
[codex:54]     elif name=='JUMPI':
[codex:54]         dest=pop(state); cond=pop(state)
[codex:54]         take=False
[codex:54]         if cond==\"LT(msg.value,0x8ac7230489e80000)\":
[codex:54]             take=False
[codex:54]         # else keep default false
[codex:54]         if take:
[codex:54]             state.pc=int(dest,16)
[codex:54]         else:
[codex:54]             state.pc=next_pc
[codex:54]         continue
[codex:54]     elif name=='JUMP':
[codex:54]         dest=pop(state)
[codex:54]         if isinstance(dest,str) and dest.startswith('0x'):
[codex:54]             state.pc=int(dest,16)
[codex:54]             continue
[codex:54]         else:
[codex:54]             print('dynamic jump', dest)
[codex:54]             break
[codex:54]     elif name=='CALL':
[codex:54]         out_size=pop(state); out_off=pop(state); in_size=pop(state); in_off=pop(state); value=pop(state); to=pop(state); gas=pop(state)
[codex:54]         print('\\nCALL at', hex(state.pc))
[codex:54]         print(' to', to)
[codex:54]         print(' value', value)
[codex:54]         print(' in_off', in_off, 'in_size', in_size, 'out_off', out_off, 'out_size', out_size)
[codex:54]         push(state, 'CALL_SUCCESS')
[codex:54]     elif name in ('STOP','RETURN','REVERT','INVALID'):
[codex:54]         print('halt', name, 'at', hex(state.pc))
[codex:54]         break
[codex:54] 
[codex:54]     state.pc=next_pc
[codex:54] 
[codex:54] PY" in /tmp/codex-multi-ycn50ilf succeeded in 38ms:
[codex:54] 
[codex:54] CALL at 0xfc
[codex:54]  to MLOAD[0x40]
[codex:54]  value SUB(MLOAD[0x40],MLOAD[0x40])
[codex:54]  in_off MLOAD[0x40] in_size SLOAD[0x00] out_off AND(AND(DIV(EXP(0x00,0x0100),SLOAD[ADD(KECCAK(0x20,0x00),ADD(0x8ac7230489e80000,SLOAD[0x00]))]),SUB(0x01,EXP(0xa0,0x02))),SUB(0x01,EXP(0xa0,0x02))) out_size 0x00
[codex:54] dynamic jump msg.sender
[codex:54] 
[codex:54] thinking
[codex:54] **Analyzing contract bytecode and reentrancy risks**
[codex:54] 
[codex:54] I’m carefully reasoning through the bytecode of this pyramid-style payout contract, tracking calls, storage updates, and control flow to see if a concrete exploit like reentrancy or storage corruption could yield profit. Considering call patterns, state updates after calls, and boundary checks, it seems there’s no straightforward attack vector despite potential complexity. I’ll produce a JSON report signaling no findings per instructions while summarizing this analysis.
[codex:54] codex
[codex:54] {"no_findings":true,"summary":"Reviewed the runtime bytecode bundle and did not find a concrete, exploitable path to extract ETH/tokens/NFTs without following the intended payout logic; no delegatecall/proxy/selfdestruct or privileged withdraw paths are visible in the bytecode alone.","findings":[]}
[codex:54] tokens used
[codex:54] 41,612
[codex:54] {"no_findings":true,"summary":"Reviewed the runtime bytecode bundle and did not find a concrete, exploitable path to extract ETH/tokens/NFTs without following the intended payout logic; no delegatecall/proxy/selfdestruct or privileged withdraw paths are visible in the bytecode alone.","findings":[]}
Metadata 
{
    "codex": {
        "ran_at": "2026-01-03T01:07:21.311588+00:00",
        "returncode": 0
    },
    "summary": "Reviewed the runtime bytecode bundle and did not find a concrete, exploitable path to extract ETH/tokens/NFTs without following the intended payout logic; no delegatecall/proxy/selfdestruct or privileged withdraw paths are visible in the bytecode alone.",
    "raw_final": {
        "summary": "Reviewed the runtime bytecode bundle and did not find a concrete, exploitable path to extract ETH/tokens/NFTs without following the intended payout logic; no delegatecall/proxy/selfdestruct or privileged withdraw paths are visible in the bytecode alone.",
        "findings": [],
        "no_findings": true
    },
    "no_findings": true,
    "schema_version": 1
}

Opcode Heuristics

tool.cast_disasm
Delegatecall
0
Selfdestruct
0
CREATE2
0
CALL-family (heavy)
3
EXT*/BALANCE
0
Total opcodes
500
Flags
No heuristic flags raised.
View cast disassembly output 
00000000: PUSH1 0x60
00000002: PUSH1 0x40
00000004: MSTORE
00000005: CALLDATASIZE
00000006: ISZERO
00000007: PUSH2 0x001f
0000000a: JUMPI
0000000b: PUSH1 0xe0
0000000d: PUSH1 0x02
0000000f: EXP
00000010: PUSH1 0x00
00000012: CALLDATALOAD
00000013: DIV
00000014: PUSH4 0x72ea4b8c
00000019: DUP2
0000001a: EQ
0000001b: PUSH2 0x010c
0000001e: JUMPI
0000001f: JUMPDEST
00000020: PUSH2 0x011b
00000023: CALLVALUE
00000024: PUSH1 0x00
00000026: DUP1
00000027: DUP1
00000028: PUSH8 0x8ac7230489e80000
00000031: DUP5
00000032: LT
00000033: PUSH2 0x01d5
00000036: JUMPI
00000037: PUSH1 0x01
00000039: DUP1
0000003a: SLOAD
0000003b: DUP2
0000003c: ADD
0000003d: SWAP1
0000003e: DUP2
0000003f: SWAP1
00000040: SSTORE
00000041: PUSH1 0x03
00000043: DUP1
00000044: SLOAD
00000045: CALLER
00000046: SWAP3
00000047: SWAP1
00000048: DUP2
00000049: LT
0000004a: ISZERO
0000004b: PUSH2 0x0002
0000004e: JUMPI
0000004f: SWAP1
00000050: PUSH1 0x00
00000052: MSTORE
00000053: PUSH1 0x20
00000055: PUSH1 0x00
00000057: KECCAK256
00000058: SWAP1
00000059: ADD
0000005a: PUSH1 0x00
0000005c: PUSH2 0x0100
0000005f: EXP
00000060: DUP2
00000061: SLOAD
00000062: DUP2
00000063: PUSH1 0x01
00000065: PUSH1 0xa0
00000067: PUSH1 0x02
00000069: EXP
0000006a: SUB
0000006b: MUL
0000006c: NOT
0000006d: AND
0000006e: SWAP1
0000006f: DUP4
00000070: MUL
00000071: OR
00000072: SWAP1
00000073: SSTORE
00000074: POP
00000075: PUSH8 0x8ac7230489e80000
0000007e: DUP5
0000007f: SUB
00000080: SWAP4
00000081: POP
00000082: DUP4
00000083: POP
00000084: PUSH8 0x8ac7230489e80000
0000008d: PUSH1 0x00
0000008f: PUSH1 0x00
00000091: DUP3
00000092: DUP3
00000093: DUP3
00000094: POP
00000095: SLOAD
00000096: ADD
00000097: SWAP3
00000098: POP
00000099: POP
0000009a: DUP2
0000009b: SWAP1
0000009c: SSTORE
0000009d: POP
0000009e: PUSH1 0x02
000000a0: PUSH1 0x01
000000a2: PUSH1 0x00
000000a4: POP
000000a5: SLOAD
000000a6: GT
000000a7: ISZERO
000000a8: ISZERO
000000a9: PUSH2 0x011d
000000ac: JUMPI
000000ad: PUSH1 0x03
000000af: DUP1
000000b0: SLOAD
000000b1: DUP3
000000b2: SWAP1
000000b3: DUP2
000000b4: LT
000000b5: ISZERO
000000b6: PUSH2 0x0002
000000b9: JUMPI
000000ba: SWAP1
000000bb: PUSH1 0x00
000000bd: MSTORE
000000be: PUSH1 0x20
000000c0: PUSH1 0x00
000000c2: KECCAK256
000000c3: SWAP1
000000c4: ADD
000000c5: PUSH1 0x00
000000c7: SWAP1
000000c8: SLOAD
000000c9: SWAP1
000000ca: PUSH2 0x0100
000000cd: EXP
000000ce: SWAP1
000000cf: DIV
000000d0: PUSH1 0x01
000000d2: PUSH1 0xa0
000000d4: PUSH1 0x02
000000d6: EXP
000000d7: SUB
000000d8: AND
000000d9: PUSH1 0x01
000000db: PUSH1 0xa0
000000dd: PUSH1 0x02
000000df: EXP
000000e0: SUB
000000e1: AND
000000e2: PUSH1 0x00
000000e4: PUSH1 0x00
000000e6: PUSH1 0x00
000000e8: POP
000000e9: SLOAD
000000ea: PUSH1 0x40
000000ec: MLOAD
000000ed: DUP1
000000ee: SWAP1
000000ef: POP
000000f0: PUSH1 0x00
000000f2: PUSH1 0x40
000000f4: MLOAD
000000f5: DUP1
000000f6: DUP4
000000f7: SUB
000000f8: DUP2
000000f9: DUP6
000000fa: DUP9
000000fb: DUP9
000000fc: CALL
000000fd: POP
000000fe: POP
000000ff: POP
00000100: DUP1
00000101: SSTORE
00000102: POP
00000103: PUSH1 0x01
00000105: PUSH1 0x02
00000107: SSTORE
00000108: PUSH2 0x01d5
0000010b: JUMP
0000010c: JUMPDEST
0000010d: PUSH1 0x01
0000010f: DUP1
00000110: SLOAD
00000111: ADD
00000112: PUSH1 0x60
00000114: SWAP1
00000115: DUP2
00000116: MSTORE
00000117: PUSH1 0x20
00000119: SWAP1
0000011a: RETURN
0000011b: JUMPDEST
0000011c: STOP
0000011d: JUMPDEST
0000011e: PUSH1 0x01
00000120: DUP1
00000121: SLOAD
00000122: PUSH1 0x03
00000124: SLOAD
00000125: SWAP2
00000126: ADD
00000127: EQ
00000128: ISZERO
00000129: PUSH2 0x01d5
0000012c: JUMPI
0000012d: PUSH1 0x03
0000012f: DUP1
00000130: SLOAD
00000131: PUSH1 0x02
00000133: SLOAD
00000134: PUSH1 0x01
00000136: ADD
00000137: SWAP1
00000138: SWAP2
00000139: MUL
0000013a: SWAP1
0000013b: SUB
0000013c: SWAP3
0000013d: POP
0000013e: JUMPDEST
0000013f: PUSH1 0x03
00000141: SLOAD
00000142: PUSH1 0x02
00000144: SLOAD
00000145: SWAP1
00000146: SUB
00000147: PUSH1 0x01
00000149: NOT
0000014a: ADD
0000014b: DUP4
0000014c: LT
0000014d: ISZERO
0000014e: PUSH2 0x01e3
00000151: JUMPI
00000152: PUSH1 0x03
00000154: DUP1
00000155: SLOAD
00000156: DUP5
00000157: SWAP1
00000158: DUP2
00000159: LT
0000015a: ISZERO
0000015b: PUSH2 0x0002
0000015e: JUMPI
0000015f: SWAP1
00000160: DUP3
00000161: MSTORE
00000162: PUSH1 0x40
00000164: MLOAD
00000165: PUSH32 0xc2575a0e9e593c00f959f8c92f12db2869c3395a3b0502d05e2516446f71f85b
00000186: SWAP2
00000187: SWAP1
00000188: SWAP2
00000189: ADD
0000018a: SLOAD
0000018b: PUSH1 0x01
0000018d: PUSH1 0xa0
0000018f: PUSH1 0x02
00000191: EXP
00000192: SUB
00000193: AND
00000194: SWAP1
00000195: DUP3
00000196: SWAP1
00000197: PUSH8 0x4563918244f40000
000001a0: SWAP1
000001a1: DUP3
000001a2: DUP2
000001a3: DUP2
000001a4: DUP2
000001a5: DUP6
000001a6: DUP9
000001a7: DUP4
000001a8: CALL
000001a9: POP
000001aa: POP
000001ab: SWAP1
000001ac: SLOAD
000001ad: PUSH8 0x4563918244f3ffff
000001b6: NOT
000001b7: ADD
000001b8: DUP4
000001b9: SSTORE
000001ba: POP
000001bb: POP
000001bc: PUSH1 0x01
000001be: SWAP3
000001bf: SWAP1
000001c0: SWAP3
000001c1: ADD
000001c2: SWAP2
000001c3: PUSH2 0x013e
000001c6: JUMP
000001c7: JUMPDEST
000001c8: POP
000001c9: POP
000001ca: PUSH1 0x02
000001cc: DUP1
000001cd: SLOAD
000001ce: PUSH1 0x01
000001d0: ADD
000001d1: SWAP1
000001d2: SSTORE
000001d3: POP
000001d4: POP
000001d5: JUMPDEST
000001d6: PUSH1 0x00
000001d8: DUP1
000001d9: SLOAD
000001da: DUP6
000001db: ADD
000001dc: SWAP1
000001dd: SSTORE
000001de: POP
000001df: POP
000001e0: POP
000001e1: POP
000001e2: JUMP
000001e3: JUMPDEST
000001e4: POP
000001e5: PUSH1 0x02
000001e7: SLOAD
000001e8: DUP2
000001e9: SLOAD
000001ea: SWAP2
000001eb: SWAP3
000001ec: POP
000001ed: PUSH1 0x01
000001ef: SWAP1
000001f0: DUP2
000001f1: ADD
000001f2: SWAP1
000001f3: SWAP2
000001f4: DIV
000001f5: PUSH1 0x00
000001f7: NOT
000001f8: ADD
000001f9: SWAP1
000001fa: JUMPDEST
000001fb: PUSH1 0x03
000001fd: SLOAD
000001fe: PUSH1 0x02
00000200: SLOAD
00000201: SWAP1
00000202: SUB
00000203: PUSH1 0x01
00000205: NOT
00000206: ADD
00000207: DUP4
00000208: LT
00000209: ISZERO
0000020a: PUSH2 0x029a
0000020d: JUMPI
0000020e: PUSH1 0x03
00000210: DUP1
00000211: SLOAD
00000212: DUP5
00000213: SWAP1
00000214: DUP2
00000215: LT
00000216: ISZERO
00000217: PUSH2 0x0002
0000021a: JUMPI
0000021b: PUSH1 0x00
0000021d: SWAP2
0000021e: DUP3
0000021f: MSTORE
00000220: PUSH1 0x40
00000222: MLOAD
00000223: PUSH32 0xc2575a0e9e593c00f959f8c92f12db2869c3395a3b0502d05e2516446f71f85b
00000244: SWAP2
00000245: SWAP1
00000246: SWAP2
00000247: ADD
00000248: SLOAD
00000249: PUSH1 0x01
0000024b: PUSH1 0xa0
0000024d: PUSH1 0x02
0000024f: EXP
00000250: SUB
00000251: AND
00000252: SWAP2
00000253: SWAP1
00000254: DUP4
00000255: DUP6
00000256: DIV
00000257: PUSH1 0x00
00000259: NOT
0000025a: ADD
0000025b: SWAP1
0000025c: DUP3
0000025d: DUP2
0000025e: DUP2
0000025f: DUP2
00000260: DUP6
00000261: DUP9
00000262: DUP4
00000263: CALL
00000264: POP
00000265: POP
00000266: DUP2
00000267: SLOAD
00000268: DUP5
00000269: DUP7
0000026a: DIV
0000026b: SWAP1
0000026c: SUB
0000026d: PUSH1 0x01
0000026f: SWAP1
00000270: DUP2
00000271: ADD
00000272: SWAP1
00000273: SWAP3
00000274: SSTORE
00000275: POP
00000276: PUSH1 0x02
00000278: SWAP1
00000279: DUP4
0000027a: ADD
0000027b: DUP4
0000027c: MUL
0000027d: DIV
0000027e: PUSH1 0x00
00000280: NOT
00000281: ADD
00000282: DUP5
00000283: EQ
00000284: ISZERO
00000285: SWAP1
00000286: POP
00000287: PUSH2 0x028e
0000028a: JUMPI
0000028b: PUSH1 0x01
0000028d: ADD
0000028e: JUMPDEST
0000028f: PUSH1 0x01
00000291: SWAP3
00000292: SWAP1
00000293: SWAP3
00000294: ADD
00000295: SWAP2
00000296: PUSH2 0x01fa
00000299: JUMP
0000029a: JUMPDEST
0000029b: PUSH1 0x03
0000029d: DUP1
0000029e: SLOAD
0000029f: PUSH1 0x02
000002a1: SLOAD
000002a2: DUP2
000002a3: ADD
000002a4: DUP3
000002a5: ADD
000002a6: DUP1
000002a7: DUP4
000002a8: SSTORE
000002a9: SWAP2
000002aa: SWAP1
000002ab: DUP3
000002ac: SWAP1
000002ad: DUP1
000002ae: ISZERO
000002af: DUP3
000002b0: SWAP1
000002b1: GT
000002b2: PUSH2 0x01c7
000002b5: JUMPI
000002b6: PUSH1 0x00
000002b8: DUP4
000002b9: SWAP1
000002ba: MSTORE
000002bb: PUSH2 0x01c7
000002be: SWAP1
000002bf: PUSH32 0xc2575a0e9e593c00f959f8c92f12db2869c3395a3b0502d05e2516446f71f85b
000002e0: SWAP1
000002e1: DUP2
000002e2: ADD
000002e3: SWAP1
000002e4: DUP4
000002e5: ADD
000002e6: JUMPDEST
000002e7: DUP1
000002e8: DUP3
000002e9: GT
000002ea: ISZERO
000002eb: PUSH2 0x02fa
000002ee: JUMPI
000002ef: PUSH1 0x00
000002f1: DUP2
000002f2: SSTORE
000002f3: PUSH1 0x01
000002f5: ADD
000002f6: PUSH2 0x02e6
000002f9: JUMP
000002fa: JUMPDEST
000002fb: POP
000002fc: SWAP1
000002fd: JUMP

Findings

validated = confirmed for call sinks; sink observed for others
Severity Category Tool Title Confidence Validated Confirmed Details
high other detector Untrusted CALL target/value reachable 60 no no
view
trace_id: 0xc26634d173bca7d0bfee36488cc220995cb95b1ceb8a0735757a76aab080139e
call_targets: 0xa327075af2a223a1c83a36ada1126afe7430f955
target_varies: no
classification: constant_target
validation_json 
{
    "sink": "CALL",
    "errors": 0,
    "status": "sink_reached",
    "attempts": 1,
    "trace_id": "0xc26634d173bca7d0bfee36488cc220995cb95b1ceb8a0735757a76aab080139e",
    "confirmed": false,
    "trace_mode": "callTracer",
    "call_targets": [
        "0xa327075af2a223a1c83a36ada1126afe7430f955"
    ],
    "matched_probe": null,
    "target_varies": false,
    "classification": "constant_target"
}
witness_json 
{
    "notes": "heuristic witness; entrypoints are best-effort selectors with zeroed calldata",
    "constraints": [],
    "entrypoints": [
        {
            "calldata": "0x72ea4b8c",
            "selector": "0x72ea4b8c",
            "calldata_variants": [
                "0x72ea4b8c",
                "0x72ea4b8c0000000000000000000000000000000000000000000000000000000000000000"
            ]
        }
    ]
}
evidence_json 
{
    "examples": [
        {
            "pc": 252,
            "opcode": "CALL",
            "returndata_checked": null,
            "value_expression_category": "computed",
            "target_expression_category": "computed"
        },
        {
            "pc": 424,
            "opcode": "CALL",
            "returndata_checked": null,
            "value_expression_category": "computed",
            "target_expression_category": "computed"
        },
        {
            "pc": 611,
            "opcode": "CALL",
            "returndata_checked": null,
            "value_expression_category": "computed",
            "target_expression_category": "computed"
        }
    ],
    "call_count": 3,
    "guards_detected": [],
    "untrusted_call_count": 3
}
high other detector ETH value transfer possible 55 no no
view
trace_id: 0xc26634d173bca7d0bfee36488cc220995cb95b1ceb8a0735757a76aab080139e
call_targets: 0xa327075af2a223a1c83a36ada1126afe7430f955
target_varies: no
classification: constant_target
validation_json 
{
    "sink": "CALL",
    "errors": 0,
    "status": "sink_reached",
    "attempts": 1,
    "trace_id": "0xc26634d173bca7d0bfee36488cc220995cb95b1ceb8a0735757a76aab080139e",
    "confirmed": false,
    "trace_mode": "callTracer",
    "call_targets": [
        "0xa327075af2a223a1c83a36ada1126afe7430f955"
    ],
    "matched_probe": null,
    "target_varies": false,
    "classification": "constant_target"
}
witness_json 
{
    "notes": "heuristic witness; entrypoints are best-effort selectors with zeroed calldata",
    "constraints": [],
    "entrypoints": [
        {
            "calldata": "0x72ea4b8c",
            "selector": "0x72ea4b8c",
            "calldata_variants": [
                "0x72ea4b8c",
                "0x72ea4b8c0000000000000000000000000000000000000000000000000000000000000000"
            ]
        }
    ]
}
evidence_json 
{
    "examples": [
        {
            "pc": 252,
            "opcode": "CALL",
            "returndata_checked": null,
            "value_expression_category": "computed",
            "target_expression_category": "computed"
        },
        {
            "pc": 424,
            "opcode": "CALL",
            "returndata_checked": null,
            "value_expression_category": "computed",
            "target_expression_category": "computed"
        },
        {
            "pc": 611,
            "opcode": "CALL",
            "returndata_checked": null,
            "value_expression_category": "computed",
            "target_expression_category": "computed"
        }
    ],
    "eth_value_calls": 3,
    "guards_detected": []
}