82899d41-c96a-4df9-b88d-fa9ab0155ce4
Open this run to answer one question: is this real attacker-relevant behavior with real impact, or just normal contract plumbing?
| ID | Type | Status | Attempts | Heartbeat |
|---|---|---|---|---|
| 31689 | report.consolidate | complete | 1 / 1 | 3 months ago |
| 95557 | artifact.fetch | complete | 1 / 3 | 2 weeks ago |
| 95558 | tool.cast_disasm | complete | 1 / 3 | 2 weeks ago |
| 95559 | analysis.bundle | complete | 1 / 3 | 2 weeks ago |
| 95560 | capability.graph | complete | 1 / 3 | 2 weeks ago |
| 95561 | detector.run | complete | 1 / 3 | 2 weeks ago |
| 95562 | validation.fork | complete | 1 / 3 | 2 weeks ago |
No slither job recorded yet.
[codex:161151] OpenAI Codex v0.77.0 (research preview)
[codex:161151] --------
[codex:161151] workdir: /tmp/codex-multi-z7_x8ngu
[codex:161151] model: gpt-5.2-codex
[codex:161151] provider: openai
[codex:161151] approval: never
[codex:161151] sandbox: read-only
[codex:161151] reasoning effort: xhigh
[codex:161151] reasoning summaries: auto
[codex:161151] session id: 019b8c7b-3858-7980-b571-a77102046a74
[codex:161151] --------
[codex:161151] user
[codex:161151] You are a profit-focused exploit hunter analyzing EVM bytecode. Your ONLY goal is finding ways to extract value (ETH, tokens, NFTs) from this contract.
[codex:161151]
[codex:161151] Read `BYTECODE_BUNDLE.txt` completely before concluding.
[codex:161151]
[codex:161151] ONLY REPORT if you find a CONCRETE, EXPLOITABLE path to profit. We do NOT care about:
[codex:161151] - Gas inefficiency, code quality, or best practices
[codex:161151] - Theoretical vulnerabilities without a clear extraction path
[codex:161151] - Generic footguns (unchecked return values, etc.) unless they enable theft
[codex:161151] - Issues requiring social engineering or off-chain coordination
[codex:161151]
[codex:161151] PATTERNS WORTH INVESTIGATING in bytecode:
[codex:161151] - CALL/DELEGATECALL with controllable destination or calldata
[codex:161151] - Value transfers (CALL with non-zero value) without prior CALLER/ORIGIN checks
[codex:161151] - SSTORE to low slots (0-10) that might be owner/admin storage
[codex:161151] - ecrecover (signature validation) - look for missing nonce/replay protection
[codex:161151] - External calls before state updates (reentrancy)
[codex:161151] - SELFDESTRUCT with controllable beneficiary
[codex:161151] - Proxy patterns (DELEGATECALL to storage slot) with unprotected upgrade paths
[codex:161151]
[codex:161151] For each finding, you MUST explain:
[codex:161151] 1. The specific bytecode pattern/offsets that indicate the vulnerability
[codex:161151] 2. The concrete sequence of transactions to extract value
[codex:161151] 3. Why you believe this is exploitable (not just suspicious)
[codex:161151]
[codex:161151] If you cannot identify a concrete profit path from bytecode alone: set no_findings=true.
[codex:161151] Do NOT hallucinate. Bytecode-only analysis is limited - be honest about uncertainty.
[codex:161151]
[codex:161151] Output MUST be valid JSON matching the provided schema.
[codex:161151] - severity: info, low, medium, high, critical (use high/critical ONLY for clear extraction paths)
[codex:161151] - category: access_control, reentrancy, math, oracle, upgradeability, auth, other
[codex:161151] mcp startup: no servers
[codex:161151]
[codex:161151] thinking
[codex:161151] **Preparing to read BYTECODE_BUNDLE.txt**
[codex:161151] exec
[codex:161151] /bin/bash -lc ls in /tmp/codex-multi-z7_x8ngu succeeded in 6ms:
[codex:161151] BYTECODE_BUNDLE.txt
[codex:161151] codex-output-schema.json
[codex:161151] exec
[codex:161151] /bin/bash -lc 'cat BYTECODE_BUNDLE.txt' in /tmp/codex-multi-z7_x8ngu succeeded in 5ms:
[codex:161151] Runtime bytecode bundle for best-effort auditing.
[codex:161151] Note: without verified source, conclusions are low-confidence unless a concrete pattern is visible.
[codex:161151]
[codex:161151] FILE: runtime_bytecode.hex
[codex:161151] 0x60606040523615610097576000357c0100000000000000000000000000000000000000000000000000000000900463ffffffff16806343d726d61461009c578063521eb273146100b15780638c52dc41146101065780638da5cb5b1461011b578063c19d93fb14610170578063cb13cddb146101a7578063f2fde38b146101f4578063f340fa011461022d578063fa89401a1461025b575b600080fd5b34156100a757600080fd5b6100af610294565b005b34156100bc57600080fd5b6100c46103ef565b604051808273ffffffffffffffffffffffffffffffffffffffff1673ffffffffffffffffffffffffffffffffffffffff16815260200191505060405180910390f35b341561011157600080fd5b610119610415565b005b341561012657600080fd5b61012e6104f8565b604051808273ffffffffffffffffffffffffffffffffffffffff1673ffffffffffffffffffffffffffffffffffffffff16815260200191505060405180910390f35b341561017b57600080fd5b61018361051d565b6040518082600281111561019357fe5b60ff16815260200191505060405180910390f35b34156101b257600080fd5b6101de600480803573ffffffffffffffffffffffffffffffffffffffff16906020019091905050610530565b6040518082815260200191505060405180910390f35b34156101ff57600080fd5b61022b600480803573ffffffffffffffffffffffffffffffffffffffff16906020019091905050610548565b005b610259600480803573ffffffffffffffffffffffffffffffffffffffff16906020019091905050610624565b005b341561026657600080fd5b610292600480803573ffffffffffffffffffffffffffffffffffffffff1690602001909190505061074d565b005b6000809054906101000a900473ffffffffffffffffffffffffffffffffffffffff1673ffffffffffffffffffffffffffffffffffffffff163373ffffffffffffffffffffffffffffffffffffffff161415156102ef57600080fd5b600060028111156102fc57fe5b600260149054906101000a900460ff16600281111561031757fe5b14151561032357600080fd5b60028060146101000a81548160ff0219169083600281111561034157fe5b02179055507f1cdde67b72a90f19919ac732a437ac2f7a10fc128d28c2a6e525d89ce5cd9d3a60405160405180910390a1600260009054906101000a900473ffffffffffffffffffffffffffffffffffffffff1673ffffffffffffffffffffffffffffffffffffffff166108fc3073ffffffffffffffffffffffffffffffffffffffff16319081150290604051600060405180830381858888f1935050505015156103eb57600080fd5b5b5b565b600260009054906101000a900473ffffffffffffffffffffffffffffffffffffffff1681565b6000809054906101000a900473ffffffffffffffffffffffffffffffffffffffff1673ffffffffffffffffffffffffffffffffffffffff163373ffffffffffffffffffffffffffffffffffffffff1614151561047057600080fd5b6000600281111561047d57fe5b600260149054906101000a900460ff16600281111561049857fe5b1415156104a457600080fd5b6001600260146101000a81548160ff021916908360028111156104c357fe5b02179055507f599d8e5a83cffb867d051598c4d70e805d59802d8081c1c7d6dffc5b6aca2b8960405160405180910390a15b5b565b6000809054906101000a900473ffffffffffffffffffffffffffffffffffffffff1681565b600260149054906101000a900460ff1681565b60016020528060005260406000206000915090505481565b6000809054906101000a900473ffffffffffffffffffffffffffffffffffffffff1673ffffffffffffffffffffffffffffffffffffffff163373ffffffffffffffffffffffffffffffffffffffff161415156105a357600080fd5b600073ffffffffffffffffffffffffffffffffffffffff168173ffffffffffffffffffffffffffffffffffffffff16141515156105df57600080fd5b806000806101000a81548173ffffffffffffffffffffffffffffffffffffffff021916908373ffffffffffffffffffffffffffffffffffffffff1602179055505b5b50565b6000809054906101000a900473ffffffffffffffffffffffffffffffffffffffff1673ffffffffffffffffffffffffffffffffffffffff163373ffffffffffffffffffffffffffffffffffffffff1614151561067f57600080fd5b6000600281111561068c57fe5b600260149054906101000a900460ff1660028111156106a757fe5b1415156106b357600080fd5b61070534600160008473ffffffffffffffffffffffffffffffffffffffff1673ffffffffffffffffffffffffffffffffffffffff1681526020019081526020016000205461089d90919063ffffffff16565b600160008373ffffffffffffffffffffffffffffffffffffffff1673ffffffffffffffffffffffffffffffffffffffff168152602001908152602001600020819055505b5b50565b60006001600281111561075c57fe5b600260149054906101000a900460ff16600281111561077757fe5b14151561078357600080fd5b600160008373ffffffffffffffffffffffffffffffffffffffff1673ffffffffffffffffffffffffffffffffffffffff1681526020019081526020016000205490506000600160008473ffffffffffffffffffffffffffffffffffffffff1673ffffffffffffffffffffffffffffffffffffffff168152602001908152602001600020819055508173ffffffffffffffffffffffffffffffffffffffff166108fc829081150290604051600060405180830381858888f19350505050151561084a57600080fd5b8173ffffffffffffffffffffffffffffffffffffffff167fd7dee2702d63ad89917b6a4da9981c90c4d24f8c2bdfd64c604ecae57d8d0651826040518082815260200191505060405180910390a25b5050565b60008082840190508381101515156108b157fe5b8091505b50929150505600a165627a7a72305820a45086f3cebd0cbafddbe523ed3ba70358b2e71bed0d43f9ad1395afc6b22db20029
[codex:161151]
[codex:161151] thinking
[codex:161151] **Decoding and analyzing bytecode structure**
[codex:161151]
[codex:161151] I’m analyzing the Solidity bytecode to map function selectors to their code offsets and infer ownership and access controls. I’m parsing opcode sequences to understand storage slot usage, access checks like `msg.sender == owner`, and function behaviors such as withdrawals and ownership transfers. I’ll likely write a lightweight Python script to disassemble and label instructions for clearer function breakdown and vulnerability assessment.
[codex:161151] exec
[codex:161151] /bin/bash -lc "python3 - <<'PY'
[codex:161151] from binascii import unhexlify
[codex:161151] code=open('BYTECODE_BUNDLE.txt').read().split('0x')[1].split()[0]
[codex:161151] code=code.strip()
[codex:161151] if code.startswith('0x'): code=code[2:]
[codex:161151] # ensure even length
[codex:161151] if len(code)%2: code=code[:-1]
[codex:161151] bytecode=unhexlify(code)
[codex:161151]
[codex:161151] opcodes={
[codex:161151] 0x00:'STOP',0x01:'ADD',0x02:'MUL',0x03:'SUB',0x04:'DIV',0x05:'SDIV',0x06:'MOD',0x07:'SMOD',0x08:'ADDMOD',0x09:'MULMOD',0x0a:'EXP',0x0b:'SIGNEXTEND',
[codex:161151] 0x10:'LT',0x11:'GT',0x12:'SLT',0x13:'SGT',0x14:'EQ',0x15:'ISZERO',0x16:'AND',0x17:'OR',0x18:'XOR',0x19:'NOT',0x1a:'BYTE',0x1b:'SHL',0x1c:'SHR',0x1d:'SAR',
[codex:161151] 0x20:'SHA3',
[codex:161151] 0x30:'ADDRESS',0x31:'BALANCE',0x32:'ORIGIN',0x33:'CALLER',0x34:'CALLVALUE',0x35:'CALLDATALOAD',0x36:'CALLDATASIZE',0x37:'CALLDATACOPY',0x38:'CODESIZE',0x39:'CODECOPY',0x3a:'GASPRICE',0x3b:'EXTCODESIZE',0x3c:'EXTCODECOPY',0x3d:'RETURNDATASIZE',0x3e:'RETURNDATACOPY',0x3f:'EXTCODEHASH',
[codex:161151] 0x40:'BLOCKHASH',0x41:'COINBASE',0x42:'TIMESTAMP',0x43:'NUMBER',0x44:'DIFFICULTY',0x45:'GASLIMIT',0x46:'CHAINID',0x47:'SELFBALANCE',0x48:'BASEFEE',
[codex:161151] 0x50:'POP',0x51:'MLOAD',0x52:'MSTORE',0x53:'MSTORE8',0x54:'SLOAD',0x55:'SSTORE',0x56:'JUMP',0x57:'JUMPI',0x58:'PC',0x59:'MSIZE',0x5a:'GAS',0x5b:'JUMPDEST',
[codex:161151] 0x60:'PUSH1',0x61:'PUSH2',0x62:'PUSH3',0x63:'PUSH4',0x64:'PUSH5',0x65:'PUSH6',0x66:'PUSH7',0x67:'PUSH8',0x68:'PUSH9',0x69:'PUSH10',0x6a:'PUSH11',0x6b:'PUSH12',0x6c:'PUSH13',0x6d:'PUSH14',0x6e:'PUSH15',0x6f:'PUSH16',
[codex:161151] 0x70:'PUSH17',0x71:'PUSH18',0x72:'PUSH19',0x73:'PUSH20',0x74:'PUSH21',0x75:'PUSH22',0x76:'PUSH23',0x77:'PUSH24',0x78:'PUSH25',0x79:'PUSH26',0x7a:'PUSH27',0x7b:'PUSH28',0x7c:'PUSH29',0x7d:'PUSH30',0x7e:'PUSH31',0x7f:'PUSH32',
[codex:161151] 0x80:'DUP1',0x81:'DUP2',0x82:'DUP3',0x83:'DUP4',0x84:'DUP5',0x85:'DUP6',0x86:'DUP7',0x87:'DUP8',0x88:'DUP9',0x89:'DUP10',0x8a:'DUP11',0x8b:'DUP12',0x8c:'DUP13',0x8d:'DUP14',0x8e:'DUP15',0x8f:'DUP16',
[codex:161151] 0x90:'SWAP1',0x91:'SWAP2',0x92:'SWAP3',0x93:'SWAP4',0x94:'SWAP5',0x95:'SWAP6',0x96:'SWAP7',0x97:'SWAP8',0x98:'SWAP9',0x99:'SWAP10',0x9a:'SWAP11',0x9b:'SWAP12',0x9c:'SWAP13',0x9d:'SWAP14',0x9e:'SWAP15',0x9f:'SWAP16',
[codex:161151] 0xa0:'LOG0',0xa1:'LOG1',0xa2:'LOG2',0xa3:'LOG3',0xa4:'LOG4',
[codex:161151] 0xf0:'CREATE',0xf1:'CALL',0xf2:'CALLCODE',0xf3:'RETURN',0xf4:'DELEGATECALL',0xf5:'CREATE2',0xfa:'STATICCALL',0xfd:'REVERT',0xfe:'INVALID',0xff:'SELFDESTRUCT'
[codex:161151] }
[codex:161151]
[codex:161151] # disassemble with offsets
[codex:161151] out=[]
[codex:161151] i=0
[codex:161151] while i<len(bytecode):
[codex:161151] op=bytecode[i]
[codex:161151] name=opcodes.get(op,'UNKNOWN')
[codex:161151] if 0x60<=op<=0x7f:
[codex:161151] n=op-0x5f
[codex:161151] data=bytecode[i+1:i+1+n]
[codex:161151] out.append((i,name,data.hex()))
[codex:161151] i+=1+n
[codex:161151] else:
[codex:161151] out.append((i,name,''))
[codex:161151] i+=1
[codex:161151]
[codex:161151] # print selectively for functions; show offsets and op
[codex:161151] for off,name,data in out:
[codex:161151] if off<0x120:
[codex:161151] print(f\"{off:04x} {name} {data}\")
[codex:161151] print('... total ops',len(out))
[codex:161151] PY" in /tmp/codex-multi-z7_x8ngu succeeded in 33ms:
[codex:161151] 0000 PUSH1 60
[codex:161151] 0002 PUSH1 40
[codex:161151] 0004 MSTORE
[codex:161151] 0005 CALLDATASIZE
[codex:161151] 0006 ISZERO
[codex:161151] 0007 PUSH2 0097
[codex:161151] 000a JUMPI
[codex:161151] 000b PUSH1 00
[codex:161151] 000d CALLDATALOAD
[codex:161151] 000e PUSH29 0100000000000000000000000000000000000000000000000000000000
[codex:161151] 002c SWAP1
[codex:161151] 002d DIV
[codex:161151] 002e PUSH4 ffffffff
[codex:161151] 0033 AND
[codex:161151] 0034 DUP1
[codex:161151] 0035 PUSH4 43d726d6
[codex:161151] 003a EQ
[codex:161151] 003b PUSH2 009c
[codex:161151] 003e JUMPI
[codex:161151] 003f DUP1
[codex:161151]
[codex:161151] thinking
[codex:161151] **Extending disassembly output**
[codex:161151] exec
[codex:161151] /bin/bash -lc "python3 - <<'PY'
[codex:161151] from binascii import unhexlify
[codex:161151] code=open('BYTECODE_BUNDLE.txt').read().split('0x')[1].split()[0].strip()
[codex:161151] if code.startswith('0x'): code=code[2:]
[codex:161151] if len(code)%2: code=code[:-1]
[codex:161151] bytecode=unhexlify(code)
[codex:161151]
[codex:161151] opcodes={
[codex:161151] 0x00:'STOP',0x01:'ADD',0x02:'MUL',0x03:'SUB',0x04:'DIV',0x05:'SDIV',0x06:'MOD',0x07:'SMOD',0x08:'ADDMOD',0x09:'MULMOD',0x0a:'EXP',0x0b:'SIGNEXTEND',
[codex:161151] 0x10:'LT',0x11:'GT',0x12:'SLT',0x13:'SGT',0x14:'EQ',0x15:'ISZERO',0x16:'AND',0x17:'OR',0x18:'XOR',0x19:'NOT',0x1a:'BYTE',0x1b:'SHL',0x1c:'SHR',0x1d:'SAR',
[codex:161151] 0x20:'SHA3',
[codex:161151] 0x30:'ADDRESS',0x31:'BALANCE',0x32:'ORIGIN',0x33:'CALLER',0x34:'CALLVALUE',0x35:'CALLDATALOAD',0x36:'CALLDATASIZE',0x37:'CALLDATACOPY',0x38:'CODESIZE',0x39:'CODECOPY',0x3a:'GASPRICE',0x3b:'EXTCODESIZE',0x3c:'EXTCODECOPY',0x3d:'RETURNDATASIZE',0x3e:'RETURNDATACOPY',0x3f:'EXTCODEHASH',
[codex:161151] 0x40:'BLOCKHASH',0x41:'COINBASE',0x42:'TIMESTAMP',0x43:'NUMBER',0x44:'DIFFICULTY',0x45:'GASLIMIT',0x46:'CHAINID',0x47:'SELFBALANCE',0x48:'BASEFEE',
[codex:161151] 0x50:'POP',0x51:'MLOAD',0x52:'MSTORE',0x53:'MSTORE8',0x54:'SLOAD',0x55:'SSTORE',0x56:'JUMP',0x57:'JUMPI',0x58:'PC',0x59:'MSIZE',0x5a:'GAS',0x5b:'JUMPDEST',
[codex:161151] 0x60:'PUSH1',0x61:'PUSH2',0x62:'PUSH3',0x63:'PUSH4',0x64:'PUSH5',0x65:'PUSH6',0x66:'PUSH7',0x67:'PUSH8',0x68:'PUSH9',0x69:'PUSH10',0x6a:'PUSH11',0x6b:'PUSH12',0x6c:'PUSH13',0x6d:'PUSH14',0x6e:'PUSH15',0x6f:'PUSH16',
[codex:161151] 0x70:'PUSH17',0x71:'PUSH18',0x72:'PUSH19',0x73:'PUSH20',0x74:'PUSH21',0x75:'PUSH22',0x76:'PUSH23',0x77:'PUSH24',0x78:'PUSH25',0x79:'PUSH26',0x7a:'PUSH27',0x7b:'PUSH28',0x7c:'PUSH29',0x7d:'PUSH30',0x7e:'PUSH31',0x7f:'PUSH32',
[codex:161151] 0x80:'DUP1',0x81:'DUP2',0x82:'DUP3',0x83:'DUP4',0x84:'DUP5',0x85:'DUP6',0x86:'DUP7',0x87:'DUP8',0x88:'DUP9',0x89:'DUP10',0x8a:'DUP11',0x8b:'DUP12',0x8c:'DUP13',0x8d:'DUP14',0x8e:'DUP15',0x8f:'DUP16',
[codex:161151] 0x90:'SWAP1',0x91:'SWAP2',0x92:'SWAP3',0x93:'SWAP4',0x94:'SWAP5',0x95:'SWAP6',0x96:'SWAP7',0x97:'SWAP8',0x98:'SWAP9',0x99:'SWAP10',0x9a:'SWAP11',0x9b:'SWAP12',0x9c:'SWAP13',0x9d:'SWAP14',0x9e:'SWAP15',0x9f:'SWAP16',
[codex:161151] 0xa0:'LOG0',0xa1:'LOG1',0xa2:'LOG2',0xa3:'LOG3',0xa4:'LOG4',
[codex:161151] 0xf0:'CREATE',0xf1:'CALL',0xf2:'CALLCODE',0xf3:'RETURN',0xf4:'DELEGATECALL',0xf5:'CREATE2',0xfa:'STATICCALL',0xfd:'REVERT',0xfe:'INVALID',0xff:'SELFDESTRUCT'
[codex:161151] }
[codex:161151]
[codex:161151] # disassemble
[codex:161151] out=[]
[codex:161151] i=0
[codex:161151] while i<len(bytecode):
[codex:161151] op=bytecode[i]
[codex:161151] name=opcodes.get(op,'UNKNOWN')
[codex:161151] if 0x60<=op<=0x7f:
[codex:161151] n=op-0x5f
[codex:161151] data=bytecode[i+1:i+1+n]
[codex:161151] out.append((i,name,data.hex()))
[codex:161151] i+=1+n
[codex:161151] else:
[codex:161151] out.append((i,name,''))
[codex:161151] i+=1
[codex:161151]
[codex:161151] # helper print range
[codex:161151]
[codex:161151] def pr(start,end):
[codex:161151] for off,name,data in out:
[codex:161151] if start<=off<=end:
[codex:161151] if data:
[codex:161151] print(f\"{off:04x} {name} {data}\")
[codex:161151] else:
[codex:161151] print(f\"{off:04x} {name}\")
[codex:161151] print('----')
[codex:161151]
[codex:161151] # print function bodies
[codex:161151] pr(0x0290,0x03f5)
[codex:161151] pr(0x0400,0x0525)
[codex:161151] pr(0x0520,0x062f)
[codex:161151] pr(0x0620,0x0755)
[codex:161151] pr(0x0740,0x08c0)
[codex:161151] PY" in /tmp/codex-multi-z7_x8ngu succeeded in 21ms:
[codex:161151] 0291 JUMP
[codex:161151] 0292 JUMPDEST
[codex:161151] 0293 STOP
[codex:161151] 0294 JUMPDEST
[codex:161151] 0295 PUSH1 00
[codex:161151] 0297 DUP1
[codex:161151] 0298 SWAP1
[codex:161151] 0299 SLOAD
[codex:161151] 029a SWAP1
[codex:161151] 029b PUSH2 0100
[codex:161151] 029e EXP
[codex:161151] 029f SWAP1
[codex:161151] 02a0 DIV
[codex:161151] 02a1 PUSH20 ffffffffffffffffffffffffffffffffffffffff
[codex:161151] 02b6 AND
[codex:161151] 02b7 PUSH20 ffffffffffffffffffffffffffffffffffffffff
[codex:161151] 02cc AND
[codex:161151] 02cd CALLER
[codex:161151] 02ce PUSH20 ffffffffffffffffffffffffffffffffffffffff
[codex:161151] 02e3 AND
[codex:161151]
[codex:161151]
[codex:161151] thinking
[codex:161151] **Analyzing function mappings and storage layout**
[codex:161151] thinking
[codex:161151] **Preparing stack simulation for verification**
[codex:161151] exec
[codex:161151] /bin/bash -lc "python3 - <<'PY'
[codex:161151] from binascii import unhexlify
[codex:161151] code=open('BYTECODE_BUNDLE.txt').read().split('0x')[1].split()[0].strip()
[codex:161151] if code.startswith('0x'): code=code[2:]
[codex:161151] if len(code)%2: code=code[:-1]
[codex:161151] bytecode=unhexlify(code)
[codex:161151]
[codex:161151] # map opcodes to (name, pops, pushes)
[codex:161151] # For simplicity, ignore gas or special cases.
[codex:161151] # For PUSHn, pops 0 pushes 1.
[codex:161151] # For DUPn pops 0 pushes 1. For SWAPn pops 0 pushes 0.
[codex:161151] # For JUMP/JUMPI pops 1/2 etc.
[codex:161151] stack_delta={
[codex:161151] 'POP':(-1),
[codex:161151] 'STOP':0,'ADD':-1,'MUL':-1,'SUB':-1,'DIV':-1,'SDIV':-1,'MOD':-1,'SMOD':-1,'ADDMOD':-2,'MULMOD':-2,'EXP':-1,'SIGNEXTEND':-1,
[codex:161151] 'LT':-1,'GT':-1,'SLT':-1,'SGT':-1,'EQ':-1,'ISZERO':0,'AND':-1,'OR':-1,'XOR':-1,'NOT':0,'BYTE':-1,'SHL':-1,'SHR':-1,'SAR':-1,
[codex:161151] 'SHA3':-1,
[codex:161151] 'ADDRESS':1,'BALANCE':0,'ORIGIN':1,'CALLER':1,'CALLVALUE':1,'CALLDATALOAD':0,'CALLDATASIZE':1,'CALLDATACOPY':-3,'CODESIZE':1,'CODECOPY':-3,'GASPRICE':1,
[codex:161151] 'EXTCODESIZE':0,'EXTCODECOPY':-4,'RETURNDATASIZE':1,'RETURNDATACOPY':-3,'EXTCODEHASH':0,
[codex:161151] 'BLOCKHASH':0,'COINBASE':1,'TIMESTAMP':1,'NUMBER':1,'DIFFICULTY':1,'GASLIMIT':1,'CHAINID':1,'SELFBALANCE':1,'BASEFEE':1,
[codex:161151] 'MLOAD':0,'MSTORE':-2,'MSTORE8':-2,'SLOAD':0,'SSTORE':-2,'JUMP':-1,'JUMPI':-2,'PC':1,'MSIZE':1,'GAS':1,'JUMPDEST':0,
[codex:161151] 'LOG0':-2,'LOG1':-3,'LOG2':-4,'LOG3':-5,'LOG4':-6,
[codex:161151] 'CREATE':-2,'CALL':-6,'CALLCODE':-6,'RETURN':-2,'DELEGATECALL':-5,'CREATE2':-3,'STATICCALL':-5,'REVERT':-2,'INVALID':0,'SELFDESTRUCT':-1
[codex:161151] }
[codex:161151]
[codex:161151] opnames={}
[codex:161151] for i in range(256):
[codex:161151] if 0x60<=i<=0x7f:
[codex:161151] opnames[i]=f'PUSH{i-0x5f}'
[codex:161151] elif 0x80<=i<=0x8f:
[codex:161151] opnames[i]=f'DUP{i-0x7f}'
[codex:161151] elif 0x90<=i<=0x9f:
[codex:161151] opnames[i]=f'SWAP{i-0x8f}'
[codex:161151] else:
[codex:161151] # map known names
[codex:161151] pass
[codex:161151]
[codex:161151] # opcodes map from previous script
[codex:161151] opcodes={
[codex:161151] 0x00:'STOP',0x01:'ADD',0x02:'MUL',0x03:'SUB',0x04:'DIV',0x05:'SDIV',0x06:'MOD',0x07:'SMOD',0x08:'ADDMOD',0x09:'MULMOD',0x0a:'EXP',0x0b:'SIGNEXTEND',
[codex:161151] 0x10:'LT',0x11:'GT',0x12:'SLT',0x13:'SGT',0x14:'EQ',0x15:'ISZERO',0x16:'AND',0x17:'OR',0x18:'XOR',0x19:'NOT',0x1a:'BYTE',0x1b:'SHL',0x1c:'SHR',0x1d:'SAR',
[codex:161151] 0x20:'SHA3',
[codex:161151] 0x30:'ADDRESS',0x31:'BALANCE',0x32:'ORIGIN',0x33:'CALLER',0x34:'CALLVALUE',0x35:'CALLDATALOAD',0x36:'CALLDATASIZE',0x37:'CALLDATACOPY',0x38:'CODESIZE',0x39:'CODECOPY',0x3a:'GASPRICE',0x3b:'EXTCODESIZE',0x3c:'EXTCODECOPY',0x3d:'RETURNDATASIZE',0x3e:'RETURNDATACOPY',0x3f:'EXTCODEHASH',
[codex:161151] 0x40:'BLOCKHASH',0x41:'COINBASE',0x42:'TIMESTAMP',0x43:'NUMBER',0x44:'DIFFICULTY',0x45:'GASLIMIT',0x46:'CHAINID',0x47:'SELFBALANCE',0x48:'BASEFEE',
[codex:161151] 0x50:'POP',0x51:'MLOAD',0x52:'MSTORE',0x53:'MSTORE8',0x54:'SLOAD',0x55:'SSTORE',0x56:'JUMP',0x57:'JUMPI',0x58:'PC',0x59:'MSIZE',0x5a:'GAS',0x5b:'JUMPDEST',
[codex:161151] 0xa0:'LOG0',0xa1:'LOG1',0xa2:'LOG2',0xa3:'LOG3',0xa4:'LOG4',
[codex:161151] 0xf0:'CREATE',0xf1:'CALL',0xf2:'CALLCODE',0xf3:'RETURN',0xf4:'DELEGATECALL',0xf5:'CREATE2',0xfa:'STATICCALL',0xfd:'REVERT',0xfe:'INVALID',0xff:'SELFDESTRUCT'
[codex:161151] }
[codex:161151] # add push/dup/swap names
[codex:161151] for i in range(256):
[codex:161151] if i in opcodes: continue
[codex:161151] if 0x60<=i<=0x7f:
[codex:161151] opcodes[i]=f'PUSH{i-0x5f}'
[codex:161151] elif 0x80<=i<=0x8f:
[codex:161151] opcodes[i]=f'DUP{i-0x7f}'
[codex:161151] elif 0x90<=i<=0x9f:
[codex:161151] opcodes[i]=f'SWAP{i-0x8f}'
[codex:161151]
[codex:161151] # compute stack depth along linear execution from 0x0294 to 0x0323
[codex:161151] start=0x0294
[codex:161151] end=0x0323
[codex:161151]
[codex:161151] # build list of instructions with offsets
[codex:161151] instrs=[]
[codex:161151] i=0
[codex:161151] while i<len(bytecode):
[codex:161151] op=bytecode[i]
[codex:161151] name=opcodes.get(op,'UNKNOWN')
[codex:161151] if 0x60<=op<=0x7f:
[codex:161151] n=op-0x5f
[codex:161151] data=bytecode[i+1:i+1+n]
[codex:161151] instrs.append((i,name,data.hex()))
[codex:161151] i+=1+n
[codex:161151] else:
[codex:161151] instrs.append((i,name,''))
[codex:161151] i+=1
[codex:161151]
[codex:161151] # simulate from start to end sequentially
[codex:161151] stack=0
[codex:161151] for off,name,data in instrs:
[codex:161151] if off<start: continue
[codex:161151] if off> end: break
[codex:161151] # compute delta
[codex:161151] if name.startswith('PUSH'):
[codex:161151] delta=1
[codex:161151] elif name.startswith('DUP'):
[codex:161151] delta=1
[codex:161151] elif name.startswith('SWAP'):
[codex:161151] delta=0
[codex:161151] else:
[codex:161151] delta=stack_delta.get(name,0)
[codex:161151] # special case JUMPI/JUMP etc? treat as pop for dest/cond
[codex:161151] # we just track stack depth
[codex:161151] before=stack
[codex:161151] stack+=delta
[codex:161151] if stack<0:
[codex:161151] print('underflow at',hex(off),name,'before',before,'delta',delta)
[codex:161151] break
[codex:161151] print(f\"{off:04x} {name} {data} | stack {before}->{stack}\")
[codex:161151] PY" in /tmp/codex-multi-z7_x8ngu succeeded in 20ms:
[codex:161151] 0294 JUMPDEST | stack 0->0
[codex:161151] 0295 PUSH1 00 | stack 0->1
[codex:161151] 0297 DUP1 | stack 1->2
[codex:161151] 0298 SWAP1 | stack 2->2
[codex:161151] 0299 SLOAD | stack 2->2
[codex:161151] 029a SWAP1 | stack 2->2
[codex:161151] 029b PUSH2 0100 | stack 2->3
[codex:161151] 029e EXP | stack 3->2
[codex:161151] 029f SWAP1 | stack 2->2
[codex:161151] 02a0 DIV | stack 2->1
[codex:161151] 02a1 PUSH20 ffffffffffffffffffffffffffffffffffffffff | stack 1->2
[codex:161151] 02b6 AND | stack 2->1
[codex:161151] 02b7 PUSH20 ffffffffffffffffffffffffffffffffffffffff | stack 1->2
[codex:161151] 02cc AND | stack 2->1
[codex:161151] 02cd CALLER | stack 1->2
[codex:161151] 02ce PUSH20 ffffffffffffffffffffffffffffffffffffffff | stack 2->3
[codex:161151] 02e3 AND | stack 3->2
[codex:161151] 02e4 EQ | stack 2->1
[codex:161151] 02e5 ISZERO | stack 1->1
[codex:161151] 02e6 ISZERO | stack 1->1
[codex:161151]
[codex:161151] thinking
[codex:161151] **Examining smart contract state logic**
[codex:161151] exec
[codex:161151] /bin/bash -lc "python3 - <<'PY'
[codex:161151] from binascii import unhexlify
[codex:161151] code=open('BYTECODE_BUNDLE.txt').read().split('0x')[1].split()[0].strip()
[codex:161151] if code.startswith('0x'): code=code[2:]
[codex:161151] bytecode=unhexlify(code)
[codex:161151] # decode opcodes
[codex:161151] opcodes={
[codex:161151] 0x00:'STOP',0x01:'ADD',0x02:'MUL',0x03:'SUB',0x04:'DIV',0x05:'SDIV',0x06:'MOD',0x07:'SMOD',0x08:'ADDMOD',0x09:'MULMOD',0x0a:'EXP',0x0b:'SIGNEXTEND',
[codex:161151] 0x10:'LT',0x11:'GT',0x12:'SLT',0x13:'SGT',0x14:'EQ',0x15:'ISZERO',0x16:'AND',0x17:'OR',0x18:'XOR',0x19:'NOT',0x1a:'BYTE',0x1b:'SHL',0x1c:'SHR',0x1d:'SAR',
[codex:161151] 0x20:'SHA3',
[codex:161151] 0x30:'ADDRESS',0x31:'BALANCE',0x32:'ORIGIN',0x33:'CALLER',0x34:'CALLVALUE',0x35:'CALLDATALOAD',0x36:'CALLDATASIZE',0x37:'CALLDATACOPY',0x38:'CODESIZE',0x39:'CODECOPY',0x3a:'GASPRICE',0x3b:'EXTCODESIZE',0x3c:'EXTCODECOPY',0x3d:'RETURNDATASIZE',0x3e:'RETURNDATACOPY',0x3f:'EXTCODEHASH',
[codex:161151] 0x40:'BLOCKHASH',0x41:'COINBASE',0x42:'TIMESTAMP',0x43:'NUMBER',0x44:'DIFFICULTY',0x45:'GASLIMIT',0x46:'CHAINID',0x47:'SELFBALANCE',0x48:'BASEFEE',
[codex:161151] 0x50:'POP',0x51:'MLOAD',0x52:'MSTORE',0x53:'MSTORE8',0x54:'SLOAD',0x55:'SSTORE',0x56:'JUMP',0x57:'JUMPI',0x58:'PC',0x59:'MSIZE',0x5a:'GAS',0x5b:'JUMPDEST',
[codex:161151] 0xa0:'LOG0',0xa1:'LOG1',0xa2:'LOG2',0xa3:'LOG3',0xa4:'LOG4',
[codex:161151] 0xf0:'CREATE',0xf1:'CALL',0xf2:'CALLCODE',0xf3:'RETURN',0xf4:'DELEGATECALL',0xf5:'CREATE2',0xfa:'STATICCALL',0xfd:'REVERT',0xfe:'INVALID',0xff:'SELFDESTRUCT'
[codex:161151] }
[codex:161151] for i in range(256):
[codex:161151] if i in opcodes: continue
[codex:161151] if 0x60<=i<=0x7f:
[codex:161151] opcodes[i]=f'PUSH{i-0x5f}'
[codex:161151] elif 0x80<=i<=0x8f:
[codex:161151] opcodes[i]=f'DUP{i-0x7f}'
[codex:161151] elif 0x90<=i<=0x9f:
[codex:161151] opcodes[i]=f'SWAP{i-0x8f}'
[codex:161151]
[codex:161151] stack_delta={
[codex:161151] 'POP':-1,
[codex:161151] 'STOP':0,'ADD':-1,'MUL':-1,'SUB':-1,'DIV':-1,'SDIV':-1,'MOD':-1,'SMOD':-1,'ADDMOD':-2,'MULMOD':-2,'EXP':-1,'SIGNEXTEND':-1,
[codex:161151] 'LT':-1,'GT':-1,'SLT':-1,'SGT':-1,'EQ':-1,'ISZERO':0,'AND':-1,'OR':-1,'XOR':-1,'NOT':0,'BYTE':-1,'SHL':-1,'SHR':-1,'SAR':-1,
[codex:161151] 'SHA3':-1,
[codex:161151] 'ADDRESS':1,'BALANCE':0,'ORIGIN':1,'CALLER':1,'CALLVALUE':1,'CALLDATALOAD':0,'CALLDATASIZE':1,'CALLDATACOPY':-3,'CODESIZE':1,'CODECOPY':-3,'GASPRICE':1,
[codex:161151] 'EXTCODESIZE':0,'EXTCODECOPY':-4,'RETURNDATASIZE':1,'RETURNDATACOPY':-3,'EXTCODEHASH':0,
[codex:161151] 'BLOCKHASH':0,'COINBASE':1,'TIMESTAMP':1,'NUMBER':1,'DIFFICULTY':1,'GASLIMIT':1,'CHAINID':1,'SELFBALANCE':1,'BASEFEE':1,
[codex:161151] 'MLOAD':0,'MSTORE':-2,'MSTORE8':-2,'SLOAD':0,'SSTORE':-2,'JUMP':-1,'JUMPI':-2,'PC':1,'MSIZE':1,'GAS':1,'JUMPDEST':0,
[codex:161151] 'LOG0':-2,'LOG1':-3,'LOG2':-4,'LOG3':-5,'LOG4':-6,
[codex:161151] 'CREATE':-2,'CALL':-6,'CALLCODE':-6,'RETURN':-2,'DELEGATECALL':-5,'CREATE2':-3,'STATICCALL':-5,'REVERT':-2,'INVALID':0,'SELFDESTRUCT':-1
[codex:161151] }
[codex:161151]
[codex:161151] # disassemble into list
[codex:161151] instrs=[]
[codex:161151] i=0
[codex:161151] while i<len(bytecode):
[codex:161151] op=bytecode[i]
[codex:161151] name=opcodes.get(op,'UNKNOWN')
[codex:161151] if 0x60<=op<=0x7f:
[codex:161151] n=op-0x5f
[codex:161151] data=bytecode[i+1:i+1+n]
[codex:161151] instrs.append((i,name,data.hex()))
[codex:161151] i+=1+n
[codex:161151] else:
[codex:161151] instrs.append((i,name,''))
[codex:161151] i+=1
[codex:161151]
[codex:161151] # simulate from 0x0624 to 0x06b3 (linear)
[codex:161151] start=0x0624
[codex:161151] end=0x06b3
[codex:161151] stack=0
[codex:161151] for off,name,data in instrs:
[codex:161151] if off<start: continue
[codex:161151] if off>end: break
[codex:161151] if name.startswith('PUSH'):
[codex:161151] delta=1
[codex:161151] elif name.startswith('DUP'):
[codex:161151] delta=1
[codex:161151] elif name.startswith('SWAP'):
[codex:161151] delta=0
[codex:161151] else:
[codex:161151] delta=stack_delta.get(name,0)
[codex:161151] before=stack
[codex:161151] stack+=delta
[codex:161151] if stack<0:
[codex:161151] print('underflow at',hex(off),name)
[codex:161151] break
[codex:161151] print(f\"{off:04x} {name} {data} | stack {before}->{stack}\")
[codex:161151] PY" in /tmp/codex-multi-z7_x8ngu succeeded in 20ms:
[codex:161151] 0624 JUMPDEST | stack 0->0
[codex:161151] 0625 PUSH1 00 | stack 0->1
[codex:161151] 0627 DUP1 | stack 1->2
[codex:161151] 0628 SWAP1 | stack 2->2
[codex:161151] 0629 SLOAD | stack 2->2
[codex:161151] 062a SWAP1 | stack 2->2
[codex:161151] 062b PUSH2 0100 | stack 2->3
[codex:161151] 062e EXP | stack 3->2
[codex:161151] 062f SWAP1 | stack 2->2
[codex:161151] 0630 DIV | stack 2->1
[codex:161151] 0631 PUSH20 ffffffffffffffffffffffffffffffffffffffff | stack 1->2
[codex:161151] 0646 AND | stack 2->1
[codex:161151] 0647 PUSH20 ffffffffffffffffffffffffffffffffffffffff | stack 1->2
[codex:161151] 065c AND | stack 2->1
[codex:161151] 065d CALLER | stack 1->2
[codex:161151] 065e PUSH20 ffffffffffffffffffffffffffffffffffffffff | stack 2->3
[codex:161151] 0673 AND | stack 3->2
[codex:161151] 0674 EQ | stack 2->1
[codex:161151] 0675 ISZERO | stack 1->1
[codex:161151] 0676 ISZERO | stack 1->1
[codex:161151]
[codex:161151] thinking
[codex:161151] **Analyzing state checks and contributions**
[codex:161151] exec
[codex:161151] /bin/bash -lc "python3 - <<'PY'
[codex:161151] from binascii import unhexlify
[codex:161151] code=open('BYTECODE_BUNDLE.txt').read().split('0x')[1].split()[0].strip()
[codex:161151] if code.startswith('0x'): code=code[2:]
[codex:161151] bytecode=unhexlify(code)
[codex:161151] # opcodes map
[codex:161151] opcodes={
[codex:161151] 0x00:'STOP',0x01:'ADD',0x02:'MUL',0x03:'SUB',0x04:'DIV',0x05:'SDIV',0x06:'MOD',0x07:'SMOD',0x08:'ADDMOD',0x09:'MULMOD',0x0a:'EXP',0x0b:'SIGNEXTEND',
[codex:161151] 0x10:'LT',0x11:'GT',0x12:'SLT',0x13:'SGT',0x14:'EQ',0x15:'ISZERO',0x16:'AND',0x17:'OR',0x18:'XOR',0x19:'NOT',0x1a:'BYTE',0x1b:'SHL',0x1c:'SHR',0x1d:'SAR',
[codex:161151] 0x20:'SHA3',
[codex:161151] 0x30:'ADDRESS',0x31:'BALANCE',0x32:'ORIGIN',0x33:'CALLER',0x34:'CALLVALUE',0x35:'CALLDATALOAD',0x36:'CALLDATASIZE',0x37:'CALLDATACOPY',0x38:'CODESIZE',0x39:'CODECOPY',0x3a:'GASPRICE',0x3b:'EXTCODESIZE',0x3c:'EXTCODECOPY',0x3d:'RETURNDATASIZE',0x3e:'RETURNDATACOPY',0x3f:'EXTCODEHASH',
[codex:161151] 0x40:'BLOCKHASH',0x41:'COINBASE',0x42:'TIMESTAMP',0x43:'NUMBER',0x44:'DIFFICULTY',0x45:'GASLIMIT',0x46:'CHAINID',0x47:'SELFBALANCE',0x48:'BASEFEE',
[codex:161151] 0x50:'POP',0x51:'MLOAD',0x52:'MSTORE',0x53:'MSTORE8',0x54:'SLOAD',0x55:'SSTORE',0x56:'JUMP',0x57:'JUMPI',0x58:'PC',0x59:'MSIZE',0x5a:'GAS',0x5b:'JUMPDEST',
[codex:161151] 0xa0:'LOG0',0xa1:'LOG1',0xa2:'LOG2',0xa3:'LOG3',0xa4:'LOG4',
[codex:161151] 0xf0:'CREATE',0xf1:'CALL',0xf2:'CALLCODE',0xf3:'RETURN',0xf4:'DELEGATECALL',0xf5:'CREATE2',0xfa:'STATICCALL',0xfd:'REVERT',0xfe:'INVALID',0xff:'SELFDESTRUCT'
[codex:161151] }
[codex:161151] for i in range(256):
[codex:161151] if i in opcodes: continue
[codex:161151] if 0x60<=i<=0x7f:
[codex:161151] opcodes[i]=f'PUSH{i-0x5f}'
[codex:161151] elif 0x80<=i<=0x8f:
[codex:161151] opcodes[i]=f'DUP{i-0x7f}'
[codex:161151] elif 0x90<=i<=0x9f:
[codex:161151] opcodes[i]=f'SWAP{i-0x8f}'
[codex:161151]
[codex:161151] stack_delta={
[codex:161151] 'POP':-1,
[codex:161151] 'STOP':0,'ADD':-1,'MUL':-1,'SUB':-1,'DIV':-1,'SDIV':-1,'MOD':-1,'SMOD':-1,'ADDMOD':-2,'MULMOD':-2,'EXP':-1,'SIGNEXTEND':-1,
[codex:161151] 'LT':-1,'GT':-1,'SLT':-1,'SGT':-1,'EQ':-1,'ISZERO':0,'AND':-1,'OR':-1,'XOR':-1,'NOT':0,'BYTE':-1,'SHL':-1,'SHR':-1,'SAR':-1,
[codex:161151] 'SHA3':-1,
[codex:161151] 'ADDRESS':1,'BALANCE':0,'ORIGIN':1,'CALLER':1,'CALLVALUE':1,'CALLDATALOAD':0,'CALLDATASIZE':1,'CALLDATACOPY':-3,'CODESIZE':1,'CODECOPY':-3,'GASPRICE':1,
[codex:161151] 'EXTCODESIZE':0,'EXTCODECOPY':-4,'RETURNDATASIZE':1,'RETURNDATACOPY':-3,'EXTCODEHASH':0,
[codex:161151] 'BLOCKHASH':0,'COINBASE':1,'TIMESTAMP':1,'NUMBER':1,'DIFFICULTY':1,'GASLIMIT':1,'CHAINID':1,'SELFBALANCE':1,'BASEFEE':1,
[codex:161151] 'MLOAD':0,'MSTORE':-2,'MSTORE8':-2,'SLOAD':0,'SSTORE':-2,'JUMP':-1,'JUMPI':-2,'PC':1,'MSIZE':1,'GAS':1,'JUMPDEST':0,
[codex:161151] 'LOG0':-2,'LOG1':-3,'LOG2':-4,'LOG3':-5,'LOG4':-6,
[codex:161151] 'CREATE':-2,'CALL':-6,'CALLCODE':-6,'RETURN':-2,'DELEGATECALL':-5,'CREATE2':-3,'STATICCALL':-5,'REVERT':-2,'INVALID':0,'SELFDESTRUCT':-1
[codex:161151] }
[codex:161151]
[codex:161151] # disassemble
[codex:161151] instrs=[]
[codex:161151] i=0
[codex:161151] while i<len(bytecode):
[codex:161151] op=bytecode[i]
[codex:161151] name=opcodes.get(op,'UNKNOWN')
[codex:161151] if 0x60<=op<=0x7f:
[codex:161151] n=op-0x5f
[codex:161151] data=bytecode[i+1:i+1+n]
[codex:161151] instrs.append((i,name,data.hex()))
[codex:161151] i+=1+n
[codex:161151] else:
[codex:161151] instrs.append((i,name,''))
[codex:161151] i+=1
[codex:161151]
[codex:161151] start=0x074d
[codex:161151] end=0x084a
[codex:161151] stack=0
[codex:161151] for off,name,data in instrs:
[codex:161151] if off<start: continue
[codex:161151] if off>end: break
[codex:161151] if name.startswith('PUSH'):
[codex:161151] delta=1
[codex:161151] elif name.startswith('DUP'):
[codex:161151] delta=1
[codex:161151] elif name.startswith('SWAP'):
[codex:161151] delta=0
[codex:161151] else:
[codex:161151] delta=stack_delta.get(name,0)
[codex:161151] before=stack
[codex:161151] stack+=delta
[codex:161151] if stack<0:
[codex:161151] print('underflow at',hex(off),name)
[codex:161151] break
[codex:161151] print(f\"{off:04x} {name} {data} | stack {before}->{stack}\")
[codex:161151] PY" in /tmp/codex-multi-z7_x8ngu succeeded in 19ms:
[codex:161151] 074d JUMPDEST | stack 0->0
[codex:161151] 074e PUSH1 00 | stack 0->1
[codex:161151] 0750 PUSH1 01 | stack 1->2
[codex:161151] 0752 PUSH1 02 | stack 2->3
[codex:161151] 0754 DUP2 | stack 3->4
[codex:161151] 0755 GT | stack 4->3
[codex:161151] 0756 ISZERO | stack 3->3
[codex:161151] 0757 PUSH2 075c | stack 3->4
[codex:161151] 075a JUMPI | stack 4->2
[codex:161151] 075b INVALID | stack 2->2
[codex:161151] 075c JUMPDEST | stack 2->2
[codex:161151] 075d PUSH1 02 | stack 2->3
[codex:161151] 075f PUSH1 14 | stack 3->4
[codex:161151] 0761 SWAP1 | stack 4->4
[codex:161151] 0762 SLOAD | stack 4->4
[codex:161151] 0763 SWAP1 | stack 4->4
[codex:161151] 0764 PUSH2 0100 | stack 4->5
[codex:161151] 0767 EXP | stack 5->4
[codex:161151] 0768 SWAP1 | stack 4->4
[codex:161151] 0769 DIV | stack 4->3
[codex:161151]
[codex:161151] thinking
[codex:161151] **Analyzing RefundVault bytecode and states**
[codex:161151]
[codex:161151] I’m unpacking the bytecode and comparing it with the typical RefundVault contract pattern from OpenZeppelin. The functions and state checks align perfectly with standard deposit, refund, and state transitions, and I don’t see any exploitable path to improperly extract value—refunds only go to investors, deposits and state changes require owner, and state transitions are locked once moved. The contract looks solid and matches the known pattern exactly.
[codex:161151] codex
[codex:161151] {"no_findings":true,"summary":"No concrete exploitable path to extract value found in the provided runtime bytecode; value transfers are gated by owner-only state transitions and refunds send funds only to the recorded investor address.","findings":[]}
[codex:161151] tokens used
[codex:161151] 46,973
[codex:161151] {"no_findings":true,"summary":"No concrete exploitable path to extract value found in the provided runtime bytecode; value transfers are gated by owner-only state transitions and refunds send funds only to the recorded investor address.","findings":[]}
{
"codex": {
"ran_at": "2026-01-05T04:53:12.484830+00:00",
"returncode": 0
},
"summary": "No concrete exploitable path to extract value found in the provided runtime bytecode; value transfers are gated by owner-only state transitions and refunds send funds only to the recorded investor address.",
"raw_final": {
"summary": "No concrete exploitable path to extract value found in the provided runtime bytecode; value transfers are gated by owner-only state transitions and refunds send funds only to the recorded investor address.",
"findings": [],
"no_findings": true
},
"no_findings": true,
"schema_version": 1
}
00000000: PUSH1 0x60 00000002: PUSH1 0x40 00000004: MSTORE 00000005: CALLDATASIZE 00000006: ISZERO 00000007: PUSH2 0x0097 0000000a: JUMPI 0000000b: PUSH1 0x00 0000000d: CALLDATALOAD 0000000e: PUSH29 0x0100000000000000000000000000000000000000000000000000000000 0000002c: SWAP1 0000002d: DIV 0000002e: PUSH4 0xffffffff 00000033: AND 00000034: DUP1 00000035: PUSH4 0x43d726d6 0000003a: EQ 0000003b: PUSH2 0x009c 0000003e: JUMPI 0000003f: DUP1 00000040: PUSH4 0x521eb273 00000045: EQ 00000046: PUSH2 0x00b1 00000049: JUMPI 0000004a: DUP1 0000004b: PUSH4 0x8c52dc41 00000050: EQ 00000051: PUSH2 0x0106 00000054: JUMPI 00000055: DUP1 00000056: PUSH4 0x8da5cb5b 0000005b: EQ 0000005c: PUSH2 0x011b 0000005f: JUMPI 00000060: DUP1 00000061: PUSH4 0xc19d93fb 00000066: EQ 00000067: PUSH2 0x0170 0000006a: JUMPI 0000006b: DUP1 0000006c: PUSH4 0xcb13cddb 00000071: EQ 00000072: PUSH2 0x01a7 00000075: JUMPI 00000076: DUP1 00000077: PUSH4 0xf2fde38b 0000007c: EQ 0000007d: PUSH2 0x01f4 00000080: JUMPI 00000081: DUP1 00000082: PUSH4 0xf340fa01 00000087: EQ 00000088: PUSH2 0x022d 0000008b: JUMPI 0000008c: DUP1 0000008d: PUSH4 0xfa89401a 00000092: EQ 00000093: PUSH2 0x025b 00000096: JUMPI 00000097: JUMPDEST 00000098: PUSH1 0x00 0000009a: DUP1 0000009b: REVERT 0000009c: JUMPDEST 0000009d: CALLVALUE 0000009e: ISZERO 0000009f: PUSH2 0x00a7 000000a2: JUMPI 000000a3: PUSH1 0x00 000000a5: DUP1 000000a6: REVERT 000000a7: JUMPDEST 000000a8: PUSH2 0x00af 000000ab: PUSH2 0x0294 000000ae: JUMP 000000af: JUMPDEST 000000b0: STOP 000000b1: JUMPDEST 000000b2: CALLVALUE 000000b3: ISZERO 000000b4: PUSH2 0x00bc 000000b7: JUMPI 000000b8: PUSH1 0x00 000000ba: DUP1 000000bb: REVERT 000000bc: JUMPDEST 000000bd: PUSH2 0x00c4 000000c0: PUSH2 0x03ef 000000c3: JUMP 000000c4: JUMPDEST 000000c5: PUSH1 0x40 000000c7: MLOAD 000000c8: DUP1 000000c9: DUP3 000000ca: PUSH20 0xffffffffffffffffffffffffffffffffffffffff 000000df: AND 000000e0: PUSH20 0xffffffffffffffffffffffffffffffffffffffff 000000f5: AND 000000f6: DUP2 000000f7: MSTORE 000000f8: PUSH1 0x20 000000fa: ADD 000000fb: SWAP2 000000fc: POP 000000fd: POP 000000fe: PUSH1 0x40 00000100: MLOAD 00000101: DUP1 00000102: SWAP2 00000103: SUB 00000104: SWAP1 00000105: RETURN 00000106: JUMPDEST 00000107: CALLVALUE 00000108: ISZERO 00000109: PUSH2 0x0111 0000010c: JUMPI 0000010d: PUSH1 0x00 0000010f: DUP1 00000110: REVERT 00000111: JUMPDEST 00000112: PUSH2 0x0119 00000115: PUSH2 0x0415 00000118: JUMP 00000119: JUMPDEST 0000011a: STOP 0000011b: JUMPDEST 0000011c: CALLVALUE 0000011d: ISZERO 0000011e: PUSH2 0x0126 00000121: JUMPI 00000122: PUSH1 0x00 00000124: DUP1 00000125: REVERT 00000126: JUMPDEST 00000127: PUSH2 0x012e 0000012a: PUSH2 0x04f8 0000012d: JUMP 0000012e: JUMPDEST 0000012f: PUSH1 0x40 00000131: MLOAD 00000132: DUP1 00000133: DUP3 00000134: PUSH20 0xffffffffffffffffffffffffffffffffffffffff 00000149: AND 0000014a: PUSH20 0xffffffffffffffffffffffffffffffffffffffff 0000015f: AND 00000160: DUP2 00000161: MSTORE 00000162: PUSH1 0x20 00000164: ADD 00000165: SWAP2 00000166: POP 00000167: POP 00000168: PUSH1 0x40 0000016a: MLOAD 0000016b: DUP1 0000016c: SWAP2 0000016d: SUB 0000016e: SWAP1 0000016f: RETURN 00000170: JUMPDEST 00000171: CALLVALUE 00000172: ISZERO 00000173: PUSH2 0x017b 00000176: JUMPI 00000177: PUSH1 0x00 00000179: DUP1 0000017a: REVERT 0000017b: JUMPDEST 0000017c: PUSH2 0x0183 0000017f: PUSH2 0x051d 00000182: JUMP 00000183: JUMPDEST 00000184: PUSH1 0x40 00000186: MLOAD 00000187: DUP1 00000188: DUP3 00000189: PUSH1 0x02 0000018b: DUP2 0000018c: GT 0000018d: ISZERO 0000018e: PUSH2 0x0193 00000191: JUMPI 00000192: INVALID 00000193: JUMPDEST 00000194: PUSH1 0xff 00000196: AND 00000197: DUP2 00000198: MSTORE 00000199: PUSH1 0x20 0000019b: ADD 0000019c: SWAP2 0000019d: POP 0000019e: POP 0000019f: PUSH1 0x40 000001a1: MLOAD 000001a2: DUP1 000001a3: SWAP2 000001a4: SUB 000001a5: SWAP1 000001a6: RETURN 000001a7: JUMPDEST 000001a8: CALLVALUE 000001a9: ISZERO 000001aa: PUSH2 0x01b2 000001ad: JUMPI 000001ae: PUSH1 0x00 000001b0: DUP1 000001b1: REVERT 000001b2: JUMPDEST 000001b3: PUSH2 0x01de 000001b6: PUSH1 0x04 000001b8: DUP1 000001b9: DUP1 000001ba: CALLDATALOAD 000001bb: PUSH20 0xffffffffffffffffffffffffffffffffffffffff 000001d0: AND 000001d1: SWAP1 000001d2: PUSH1 0x20 000001d4: ADD 000001d5: SWAP1 000001d6: SWAP2 000001d7: SWAP1 000001d8: POP 000001d9: POP 000001da: PUSH2 0x0530 000001dd: JUMP 000001de: JUMPDEST 000001df: PUSH1 0x40 000001e1: MLOAD 000001e2: DUP1 000001e3: DUP3 000001e4: DUP2 000001e5: MSTORE 000001e6: PUSH1 0x20 000001e8: ADD 000001e9: SWAP2 000001ea: POP 000001eb: POP 000001ec: PUSH1 0x40 000001ee: MLOAD 000001ef: DUP1 000001f0: SWAP2 000001f1: SUB 000001f2: SWAP1 000001f3: RETURN 000001f4: JUMPDEST 000001f5: CALLVALUE 000001f6: ISZERO 000001f7: PUSH2 0x01ff 000001fa: JUMPI 000001fb: PUSH1 0x00 000001fd: DUP1 000001fe: REVERT 000001ff: JUMPDEST 00000200: PUSH2 0x022b 00000203: PUSH1 0x04 00000205: DUP1 00000206: DUP1 00000207: CALLDATALOAD 00000208: PUSH20 0xffffffffffffffffffffffffffffffffffffffff 0000021d: AND 0000021e: SWAP1 0000021f: PUSH1 0x20 00000221: ADD 00000222: SWAP1 00000223: SWAP2 00000224: SWAP1 00000225: POP 00000226: POP 00000227: PUSH2 0x0548 0000022a: JUMP 0000022b: JUMPDEST 0000022c: STOP 0000022d: JUMPDEST 0000022e: PUSH2 0x0259 00000231: PUSH1 0x04 00000233: DUP1 00000234: DUP1 00000235: CALLDATALOAD 00000236: PUSH20 0xffffffffffffffffffffffffffffffffffffffff 0000024b: AND 0000024c: SWAP1 0000024d: PUSH1 0x20 0000024f: ADD 00000250: SWAP1 00000251: SWAP2 00000252: SWAP1 00000253: POP 00000254: POP 00000255: PUSH2 0x0624 00000258: JUMP 00000259: JUMPDEST 0000025a: STOP 0000025b: JUMPDEST 0000025c: CALLVALUE 0000025d: ISZERO 0000025e: PUSH2 0x0266 00000261: JUMPI 00000262: PUSH1 0x00 00000264: DUP1 00000265: REVERT 00000266: JUMPDEST 00000267: PUSH2 0x0292 0000026a: PUSH1 0x04 0000026c: DUP1 0000026d: DUP1 0000026e: CALLDATALOAD 0000026f: PUSH20 0xffffffffffffffffffffffffffffffffffffffff 00000284: AND 00000285: SWAP1 00000286: PUSH1 0x20 00000288: ADD 00000289: SWAP1 0000028a: SWAP2 0000028b: SWAP1 0000028c: POP 0000028d: POP 0000028e: PUSH2 0x074d 00000291: JUMP 00000292: JUMPDEST 00000293: STOP 00000294: JUMPDEST 00000295: PUSH1 0x00 00000297: DUP1 00000298: SWAP1 00000299: SLOAD 0000029a: SWAP1 0000029b: PUSH2 0x0100 0000029e: EXP 0000029f: SWAP1 000002a0: DIV 000002a1: PUSH20 0xffffffffffffffffffffffffffffffffffffffff 000002b6: AND 000002b7: PUSH20 0xffffffffffffffffffffffffffffffffffffffff 000002cc: AND 000002cd: CALLER 000002ce: PUSH20 0xffffffffffffffffffffffffffffffffffffffff 000002e3: AND 000002e4: EQ 000002e5: ISZERO 000002e6: ISZERO 000002e7: PUSH2 0x02ef 000002ea: JUMPI 000002eb: PUSH1 0x00 000002ed: DUP1 000002ee: REVERT 000002ef: JUMPDEST 000002f0: PUSH1 0x00 000002f2: PUSH1 0x02 000002f4: DUP2 000002f5: GT 000002f6: ISZERO 000002f7: PUSH2 0x02fc 000002fa: JUMPI 000002fb: INVALID 000002fc: JUMPDEST 000002fd: PUSH1 0x02 000002ff: PUSH1 0x14 00000301: SWAP1 00000302: SLOAD 00000303: SWAP1 00000304: PUSH2 0x0100 00000307: EXP 00000308: SWAP1 00000309: DIV 0000030a: PUSH1 0xff 0000030c: AND 0000030d: PUSH1 0x02 0000030f: DUP2 00000310: GT 00000311: ISZERO 00000312: PUSH2 0x0317 00000315: JUMPI 00000316: INVALID 00000317: JUMPDEST 00000318: EQ 00000319: ISZERO 0000031a: ISZERO 0000031b: PUSH2 0x0323 0000031e: JUMPI 0000031f: PUSH1 0x00 00000321: DUP1 00000322: REVERT 00000323: JUMPDEST 00000324: PUSH1 0x02 00000326: DUP1 00000327: PUSH1 0x14 00000329: PUSH2 0x0100 0000032c: EXP 0000032d: DUP2 0000032e: SLOAD 0000032f: DUP2 00000330: PUSH1 0xff 00000332: MUL 00000333: NOT 00000334: AND 00000335: SWAP1 00000336: DUP4 00000337: PUSH1 0x02 00000339: DUP2 0000033a: GT 0000033b: ISZERO 0000033c: PUSH2 0x0341 0000033f: JUMPI 00000340: INVALID 00000341: JUMPDEST 00000342: MUL 00000343: OR 00000344: SWAP1 00000345: SSTORE 00000346: POP 00000347: PUSH32 0x1cdde67b72a90f19919ac732a437ac2f7a10fc128d28c2a6e525d89ce5cd9d3a 00000368: PUSH1 0x40 0000036a: MLOAD 0000036b: PUSH1 0x40 0000036d: MLOAD 0000036e: DUP1 0000036f: SWAP2 00000370: SUB 00000371: SWAP1 00000372: LOG1 00000373: PUSH1 0x02 00000375: PUSH1 0x00 00000377: SWAP1 00000378: SLOAD 00000379: SWAP1 0000037a: PUSH2 0x0100 0000037d: EXP 0000037e: SWAP1 0000037f: DIV 00000380: PUSH20 0xffffffffffffffffffffffffffffffffffffffff 00000395: AND 00000396: PUSH20 0xffffffffffffffffffffffffffffffffffffffff 000003ab: AND 000003ac: PUSH2 0x08fc 000003af: ADDRESS 000003b0: PUSH20 0xffffffffffffffffffffffffffffffffffffffff 000003c5: AND 000003c6: BALANCE 000003c7: SWAP1 000003c8: DUP2 000003c9: ISZERO 000003ca: MUL 000003cb: SWAP1 000003cc: PUSH1 0x40 000003ce: MLOAD 000003cf: PUSH1 0x00 000003d1: PUSH1 0x40 000003d3: MLOAD 000003d4: DUP1 000003d5: DUP4 000003d6: SUB 000003d7: DUP2 000003d8: DUP6 000003d9: DUP9 000003da: DUP9 000003db: CALL 000003dc: SWAP4 000003dd: POP 000003de: POP 000003df: POP 000003e0: POP 000003e1: ISZERO 000003e2: ISZERO 000003e3: PUSH2 0x03eb 000003e6: JUMPI 000003e7: PUSH1 0x00 000003e9: DUP1 000003ea: REVERT 000003eb: JUMPDEST 000003ec: JUMPDEST 000003ed: JUMPDEST 000003ee: JUMP 000003ef: JUMPDEST 000003f0: PUSH1 0x02 000003f2: PUSH1 0x00 000003f4: SWAP1 000003f5: SLOAD 000003f6: SWAP1 000003f7: PUSH2 0x0100 000003fa: EXP 000003fb: SWAP1 000003fc: DIV 000003fd: PUSH20 0xffffffffffffffffffffffffffffffffffffffff 00000412: AND 00000413: DUP2 00000414: JUMP 00000415: JUMPDEST 00000416: PUSH1 0x00 00000418: DUP1 00000419: SWAP1 0000041a: SLOAD 0000041b: SWAP1 0000041c: PUSH2 0x0100 0000041f: EXP 00000420: SWAP1 00000421: DIV 00000422: PUSH20 0xffffffffffffffffffffffffffffffffffffffff 00000437: AND 00000438: PUSH20 0xffffffffffffffffffffffffffffffffffffffff 0000044d: AND 0000044e: CALLER 0000044f: PUSH20 0xffffffffffffffffffffffffffffffffffffffff 00000464: AND 00000465: EQ 00000466: ISZERO 00000467: ISZERO 00000468: PUSH2 0x0470 0000046b: JUMPI 0000046c: PUSH1 0x00 0000046e: DUP1 0000046f: REVERT 00000470: JUMPDEST 00000471: PUSH1 0x00 00000473: PUSH1 0x02 00000475: DUP2 00000476: GT 00000477: ISZERO 00000478: PUSH2 0x047d 0000047b: JUMPI 0000047c: INVALID 0000047d: JUMPDEST 0000047e: PUSH1 0x02 00000480: PUSH1 0x14 00000482: SWAP1 00000483: SLOAD 00000484: SWAP1 00000485: PUSH2 0x0100 00000488: EXP 00000489: SWAP1 0000048a: DIV 0000048b: PUSH1 0xff 0000048d: AND 0000048e: PUSH1 0x02 00000490: DUP2 00000491: GT 00000492: ISZERO 00000493: PUSH2 0x0498 00000496: JUMPI 00000497: INVALID 00000498: JUMPDEST 00000499: EQ 0000049a: ISZERO 0000049b: ISZERO 0000049c: PUSH2 0x04a4 0000049f: JUMPI 000004a0: PUSH1 0x00 000004a2: DUP1 000004a3: REVERT 000004a4: JUMPDEST 000004a5: PUSH1 0x01 000004a7: PUSH1 0x02 000004a9: PUSH1 0x14 000004ab: PUSH2 0x0100 000004ae: EXP 000004af: DUP2 000004b0: SLOAD 000004b1: DUP2 000004b2: PUSH1 0xff 000004b4: MUL 000004b5: NOT 000004b6: AND 000004b7: SWAP1 000004b8: DUP4 000004b9: PUSH1 0x02 000004bb: DUP2 000004bc: GT 000004bd: ISZERO 000004be: PUSH2 0x04c3 000004c1: JUMPI 000004c2: INVALID 000004c3: JUMPDEST 000004c4: MUL 000004c5: OR 000004c6: SWAP1 000004c7: SSTORE 000004c8: POP 000004c9: PUSH32 0x599d8e5a83cffb867d051598c4d70e805d59802d8081c1c7d6dffc5b6aca2b89 000004ea: PUSH1 0x40 000004ec: MLOAD 000004ed: PUSH1 0x40 000004ef: MLOAD 000004f0: DUP1 000004f1: SWAP2 000004f2: SUB 000004f3: SWAP1 000004f4: LOG1 000004f5: JUMPDEST 000004f6: JUMPDEST 000004f7: JUMP 000004f8: JUMPDEST 000004f9: PUSH1 0x00 000004fb: DUP1 000004fc: SWAP1 000004fd: SLOAD 000004fe: SWAP1 000004ff: PUSH2 0x0100 00000502: EXP 00000503: SWAP1 00000504: DIV 00000505: PUSH20 0xffffffffffffffffffffffffffffffffffffffff 0000051a: AND 0000051b: DUP2 0000051c: JUMP 0000051d: JUMPDEST 0000051e: PUSH1 0x02 00000520: PUSH1 0x14 00000522: SWAP1 00000523: SLOAD 00000524: SWAP1 00000525: PUSH2 0x0100 00000528: EXP 00000529: SWAP1 0000052a: DIV 0000052b: PUSH1 0xff 0000052d: AND 0000052e: DUP2 0000052f: JUMP 00000530: JUMPDEST 00000531: PUSH1 0x01 00000533: PUSH1 0x20 00000535: MSTORE 00000536: DUP1 00000537: PUSH1 0x00 00000539: MSTORE 0000053a: PUSH1 0x40 0000053c: PUSH1 0x00 0000053e: KECCAK256 0000053f: PUSH1 0x00 00000541: SWAP2 00000542: POP 00000543: SWAP1 00000544: POP 00000545: SLOAD 00000546: DUP2 00000547: JUMP 00000548: JUMPDEST 00000549: PUSH1 0x00 0000054b: DUP1 0000054c: SWAP1 0000054d: SLOAD 0000054e: SWAP1 0000054f: PUSH2 0x0100 00000552: EXP 00000553: SWAP1 00000554: DIV 00000555: PUSH20 0xffffffffffffffffffffffffffffffffffffffff 0000056a: AND 0000056b: PUSH20 0xffffffffffffffffffffffffffffffffffffffff 00000580: AND 00000581: CALLER 00000582: PUSH20 0xffffffffffffffffffffffffffffffffffffffff 00000597: AND 00000598: EQ 00000599: ISZERO 0000059a: ISZERO 0000059b: PUSH2 0x05a3 0000059e: JUMPI 0000059f: PUSH1 0x00 000005a1: DUP1 000005a2: REVERT 000005a3: JUMPDEST 000005a4: PUSH1 0x00 000005a6: PUSH20 0xffffffffffffffffffffffffffffffffffffffff 000005bb: AND 000005bc: DUP2 000005bd: PUSH20 0xffffffffffffffffffffffffffffffffffffffff 000005d2: AND 000005d3: EQ 000005d4: ISZERO 000005d5: ISZERO 000005d6: ISZERO 000005d7: PUSH2 0x05df 000005da: JUMPI 000005db: PUSH1 0x00 000005dd: DUP1 000005de: REVERT 000005df: JUMPDEST 000005e0: DUP1 000005e1: PUSH1 0x00 000005e3: DUP1 000005e4: PUSH2 0x0100 000005e7: EXP 000005e8: DUP2 000005e9: SLOAD 000005ea: DUP2 000005eb: PUSH20 0xffffffffffffffffffffffffffffffffffffffff 00000600: MUL 00000601: NOT 00000602: AND 00000603: SWAP1 00000604: DUP4 00000605: PUSH20 0xffffffffffffffffffffffffffffffffffffffff 0000061a: AND 0000061b: MUL 0000061c: OR 0000061d: SWAP1 0000061e: SSTORE 0000061f: POP 00000620: JUMPDEST 00000621: JUMPDEST 00000622: POP 00000623: JUMP 00000624: JUMPDEST 00000625: PUSH1 0x00 00000627: DUP1 00000628: SWAP1 00000629: SLOAD 0000062a: SWAP1 0000062b: PUSH2 0x0100 0000062e: EXP 0000062f: SWAP1 00000630: DIV 00000631: PUSH20 0xffffffffffffffffffffffffffffffffffffffff 00000646: AND 00000647: PUSH20 0xffffffffffffffffffffffffffffffffffffffff 0000065c: AND 0000065d: CALLER 0000065e: PUSH20 0xffffffffffffffffffffffffffffffffffffffff 00000673: AND 00000674: EQ 00000675: ISZERO 00000676: ISZERO 00000677: PUSH2 0x067f 0000067a: JUMPI 0000067b: PUSH1 0x00 0000067d: DUP1 0000067e: REVERT 0000067f: JUMPDEST 00000680: PUSH1 0x00 00000682: PUSH1 0x02 00000684: DUP2 00000685: GT 00000686: ISZERO 00000687: PUSH2 0x068c 0000068a: JUMPI 0000068b: INVALID 0000068c: JUMPDEST 0000068d: PUSH1 0x02 0000068f: PUSH1 0x14 00000691: SWAP1 00000692: SLOAD 00000693: SWAP1 00000694: PUSH2 0x0100 00000697: EXP 00000698: SWAP1 00000699: DIV 0000069a: PUSH1 0xff 0000069c: AND 0000069d: PUSH1 0x02 0000069f: DUP2 000006a0: GT 000006a1: ISZERO 000006a2: PUSH2 0x06a7 000006a5: JUMPI 000006a6: INVALID 000006a7: JUMPDEST 000006a8: EQ 000006a9: ISZERO 000006aa: ISZERO 000006ab: PUSH2 0x06b3 000006ae: JUMPI 000006af: PUSH1 0x00 000006b1: DUP1 000006b2: REVERT 000006b3: JUMPDEST 000006b4: PUSH2 0x0705 000006b7: CALLVALUE 000006b8: PUSH1 0x01 000006ba: PUSH1 0x00 000006bc: DUP5 000006bd: PUSH20 0xffffffffffffffffffffffffffffffffffffffff 000006d2: AND 000006d3: PUSH20 0xffffffffffffffffffffffffffffffffffffffff 000006e8: AND 000006e9: DUP2 000006ea: MSTORE 000006eb: PUSH1 0x20 000006ed: ADD 000006ee: SWAP1 000006ef: DUP2 000006f0: MSTORE 000006f1: PUSH1 0x20 000006f3: ADD 000006f4: PUSH1 0x00 000006f6: KECCAK256 000006f7: SLOAD 000006f8: PUSH2 0x089d 000006fb: SWAP1 000006fc: SWAP2 000006fd: SWAP1 000006fe: PUSH4 0xffffffff 00000703: AND 00000704: JUMP 00000705: JUMPDEST 00000706: PUSH1 0x01 00000708: PUSH1 0x00 0000070a: DUP4 0000070b: PUSH20 0xffffffffffffffffffffffffffffffffffffffff 00000720: AND 00000721: PUSH20 0xffffffffffffffffffffffffffffffffffffffff 00000736: AND 00000737: DUP2 00000738: MSTORE 00000739: PUSH1 0x20 0000073b: ADD 0000073c: SWAP1 0000073d: DUP2 0000073e: MSTORE 0000073f: PUSH1 0x20 00000741: ADD 00000742: PUSH1 0x00 00000744: KECCAK256 00000745: DUP2 00000746: SWAP1 00000747: SSTORE 00000748: POP 00000749: JUMPDEST 0000074a: JUMPDEST 0000074b: POP 0000074c: JUMP 0000074d: JUMPDEST 0000074e: PUSH1 0x00 00000750: PUSH1 0x01 00000752: PUSH1 0x02 00000754: DUP2 00000755: GT 00000756: ISZERO 00000757: PUSH2 0x075c 0000075a: JUMPI 0000075b: INVALID 0000075c: JUMPDEST 0000075d: PUSH1 0x02 0000075f: PUSH1 0x14 00000761: SWAP1 00000762: SLOAD 00000763: SWAP1 00000764: PUSH2 0x0100 00000767: EXP 00000768: SWAP1 00000769: DIV 0000076a: PUSH1 0xff 0000076c: AND 0000076d: PUSH1 0x02 0000076f: DUP2 00000770: GT 00000771: ISZERO 00000772: PUSH2 0x0777 00000775: JUMPI 00000776: INVALID 00000777: JUMPDEST 00000778: EQ 00000779: ISZERO 0000077a: ISZERO 0000077b: PUSH2 0x0783 0000077e: JUMPI 0000077f: PUSH1 0x00 00000781: DUP1 00000782: REVERT 00000783: JUMPDEST 00000784: PUSH1 0x01 00000786: PUSH1 0x00 00000788: DUP4 00000789: PUSH20 0xffffffffffffffffffffffffffffffffffffffff 0000079e: AND 0000079f: PUSH20 0xffffffffffffffffffffffffffffffffffffffff 000007b4: AND 000007b5: DUP2 000007b6: MSTORE 000007b7: PUSH1 0x20 000007b9: ADD 000007ba: SWAP1 000007bb: DUP2 000007bc: MSTORE 000007bd: PUSH1 0x20 000007bf: ADD 000007c0: PUSH1 0x00 000007c2: KECCAK256 000007c3: SLOAD 000007c4: SWAP1 000007c5: POP 000007c6: PUSH1 0x00 000007c8: PUSH1 0x01 000007ca: PUSH1 0x00 000007cc: DUP5 000007cd: PUSH20 0xffffffffffffffffffffffffffffffffffffffff 000007e2: AND 000007e3: PUSH20 0xffffffffffffffffffffffffffffffffffffffff 000007f8: AND 000007f9: DUP2 000007fa: MSTORE 000007fb: PUSH1 0x20 000007fd: ADD 000007fe: SWAP1 000007ff: DUP2 00000800: MSTORE 00000801: PUSH1 0x20 00000803: ADD 00000804: PUSH1 0x00 00000806: KECCAK256 00000807: DUP2 00000808: SWAP1 00000809: SSTORE 0000080a: POP 0000080b: DUP2 0000080c: PUSH20 0xffffffffffffffffffffffffffffffffffffffff 00000821: AND 00000822: PUSH2 0x08fc 00000825: DUP3 00000826: SWAP1 00000827: DUP2 00000828: ISZERO 00000829: MUL 0000082a: SWAP1 0000082b: PUSH1 0x40 0000082d: MLOAD 0000082e: PUSH1 0x00 00000830: PUSH1 0x40 00000832: MLOAD 00000833: DUP1 00000834: DUP4 00000835: SUB 00000836: DUP2 00000837: DUP6 00000838: DUP9 00000839: DUP9 0000083a: CALL 0000083b: SWAP4 0000083c: POP 0000083d: POP 0000083e: POP 0000083f: POP 00000840: ISZERO 00000841: ISZERO 00000842: PUSH2 0x084a 00000845: JUMPI 00000846: PUSH1 0x00 00000848: DUP1 00000849: REVERT 0000084a: JUMPDEST 0000084b: DUP2 0000084c: PUSH20 0xffffffffffffffffffffffffffffffffffffffff 00000861: AND 00000862: PUSH32 0xd7dee2702d63ad89917b6a4da9981c90c4d24f8c2bdfd64c604ecae57d8d0651 00000883: DUP3 00000884: PUSH1 0x40 00000886: MLOAD 00000887: DUP1 00000888: DUP3 00000889: DUP2 0000088a: MSTORE 0000088b: PUSH1 0x20 0000088d: ADD 0000088e: SWAP2 0000088f: POP 00000890: POP 00000891: PUSH1 0x40 00000893: MLOAD 00000894: DUP1 00000895: SWAP2 00000896: SUB 00000897: SWAP1 00000898: LOG2 00000899: JUMPDEST 0000089a: POP 0000089b: POP 0000089c: JUMP 0000089d: JUMPDEST 0000089e: PUSH1 0x00 000008a0: DUP1 000008a1: DUP3 000008a2: DUP5 000008a3: ADD 000008a4: SWAP1 000008a5: POP 000008a6: DUP4 000008a7: DUP2 000008a8: LT 000008a9: ISZERO 000008aa: ISZERO 000008ab: ISZERO 000008ac: PUSH2 0x08b1 000008af: JUMPI 000008b0: INVALID 000008b1: JUMPDEST 000008b2: DUP1 000008b3: SWAP2 000008b4: POP 000008b5: JUMPDEST 000008b6: POP 000008b7: SWAP3 000008b8: SWAP2 000008b9: POP 000008ba: POP 000008bb: JUMP 000008bc: STOP 000008bd: LOG1 000008be: PUSH6 0x627a7a723058 000008c5: KECCAK256 000008c6: LOG4 000008c7: POP 000008c8: DUP7 000008c9: RETURN 000008ca: UNKNOWN(0xCE) 000008cb: UNKNOWN(0xBD) 000008cc: UNKNOWN(0x0C) 000008cd: UNKNOWN(0xBA) 000008ce: REVERT 000008cf: UNKNOWN(0xDB) 000008d0: UNKNOWN(0xE5) 000008d1: UNKNOWN(0x23) 000008d2: UNKNOWN(0xED) 000008d3: EXTCODESIZE 000008d4: UNKNOWN(0xA7) 000008d5: SUB 000008d6: PC 000008d7: UNKNOWN(0xB2) 000008d8: UNKNOWN(0xE7) 000008d9: SHL 000008da: UNKNOWN(0xED) 000008db: UNKNOWN(0x0D) 000008dc: NUMBER 000008dd: UNKNOWN(0xF9) 000008de: UNKNOWN(0xAD) 000008df: SGT 000008e0: SWAP6 000008e1: UNKNOWN(0xAF) 000008e2: UNKNOWN(0xC6) 000008e3: UNKNOWN(0xB2) 000008e4: UNKNOWN(0x2D) 000008e5: UNKNOWN(0xB2) 000008e6: STOP 000008e7: UNKNOWN(0x29)
| Severity | Category | Tool | Title | Confidence | Validated | Confirmed | Details |
|---|---|---|---|---|---|---|---|
| medium | other | detector | Untrusted CALL target/value reachable | 45 | no | no |
viewtrace_id: 0x304a1b9c8afbe4801c3f0f2c86105de73ceb050b3c298b22a4d461eb201d6e54
call_targets:
0x75922986ffc00648d35a73d4476fa38579551d18
target_varies:
no
classification:
constant_target
validation_json{
"sink": "CALL",
"errors": 0,
"status": "sink_reached",
"attempts": 1,
"trace_id": "0x304a1b9c8afbe4801c3f0f2c86105de73ceb050b3c298b22a4d461eb201d6e54",
"confirmed": false,
"trace_mode": "callTracer",
"call_targets": [
"0x75922986ffc00648d35a73d4476fa38579551d18"
],
"matched_probe": null,
"target_varies": false,
"classification": "constant_target"
}
witness_json{
"notes": "heuristic witness; entrypoints are best-effort selectors with zeroed calldata",
"constraints": [],
"entrypoints": [
{
"calldata": "0xffffffff",
"selector": "0xffffffff",
"calldata_variants": [
"0xffffffff",
"0xffffffff0000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x43d726d6",
"selector": "0x43d726d6",
"calldata_variants": [
"0x43d726d6",
"0x43d726d60000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x521eb273",
"selector": "0x521eb273",
"calldata_variants": [
"0x521eb273",
"0x521eb2730000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x8c52dc41",
"selector": "0x8c52dc41",
"calldata_variants": [
"0x8c52dc41",
"0x8c52dc410000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x8da5cb5b",
"selector": "0x8da5cb5b",
"calldata_variants": [
"0x8da5cb5b",
"0x8da5cb5b0000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0xc19d93fb",
"selector": "0xc19d93fb",
"calldata_variants": [
"0xc19d93fb",
"0xc19d93fb0000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0xcb13cddb",
"selector": "0xcb13cddb",
"calldata_variants": [
"0xcb13cddb",
"0xcb13cddb0000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0xf2fde38b",
"selector": "0xf2fde38b",
"calldata_variants": [
"0xf2fde38b",
"0xf2fde38b0000000000000000000000000000000000000000000000000000000000000000"
]
}
]
}
evidence_json{
"examples": [
{
"pc": 987,
"opcode": "CALL",
"returndata_checked": null,
"value_expression_category": "constant",
"target_expression_category": "computed"
},
{
"pc": 2106,
"opcode": "CALL",
"returndata_checked": null,
"value_expression_category": "computed",
"target_expression_category": "computed"
}
],
"call_count": 2,
"guards_detected": [
{
"pc": 717,
"type": "msg_sender_eq_const",
"value": "0xffffffffffffffffffffffffffffffffffffffff"
},
{
"pc": 1102,
"type": "msg_sender_eq_const",
"value": "0xffffffffffffffffffffffffffffffffffffffff"
},
{
"pc": 1409,
"type": "msg_sender_eq_const",
"value": "0xffffffffffffffffffffffffffffffffffffffff"
},
{
"pc": 1629,
"type": "msg_sender_eq_const",
"value": "0xffffffffffffffffffffffffffffffffffffffff"
}
],
"untrusted_call_count": 2
}
|
| medium | other | detector | ETH value transfer possible | 40 | no | no |
viewtrace_id: 0x304a1b9c8afbe4801c3f0f2c86105de73ceb050b3c298b22a4d461eb201d6e54
call_targets:
0x75922986ffc00648d35a73d4476fa38579551d18
target_varies:
no
classification:
constant_target
validation_json{
"sink": "CALL",
"errors": 0,
"status": "sink_reached",
"attempts": 1,
"trace_id": "0x304a1b9c8afbe4801c3f0f2c86105de73ceb050b3c298b22a4d461eb201d6e54",
"confirmed": false,
"trace_mode": "callTracer",
"call_targets": [
"0x75922986ffc00648d35a73d4476fa38579551d18"
],
"matched_probe": null,
"target_varies": false,
"classification": "constant_target"
}
witness_json{
"notes": "heuristic witness; entrypoints are best-effort selectors with zeroed calldata",
"constraints": [],
"entrypoints": [
{
"calldata": "0xffffffff",
"selector": "0xffffffff",
"calldata_variants": [
"0xffffffff",
"0xffffffff0000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x43d726d6",
"selector": "0x43d726d6",
"calldata_variants": [
"0x43d726d6",
"0x43d726d60000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x521eb273",
"selector": "0x521eb273",
"calldata_variants": [
"0x521eb273",
"0x521eb2730000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x8c52dc41",
"selector": "0x8c52dc41",
"calldata_variants": [
"0x8c52dc41",
"0x8c52dc410000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x8da5cb5b",
"selector": "0x8da5cb5b",
"calldata_variants": [
"0x8da5cb5b",
"0x8da5cb5b0000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0xc19d93fb",
"selector": "0xc19d93fb",
"calldata_variants": [
"0xc19d93fb",
"0xc19d93fb0000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0xcb13cddb",
"selector": "0xcb13cddb",
"calldata_variants": [
"0xcb13cddb",
"0xcb13cddb0000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0xf2fde38b",
"selector": "0xf2fde38b",
"calldata_variants": [
"0xf2fde38b",
"0xf2fde38b0000000000000000000000000000000000000000000000000000000000000000"
]
}
]
}
evidence_json{
"examples": [
{
"pc": 987,
"opcode": "CALL",
"returndata_checked": null,
"value_expression_category": "constant",
"target_expression_category": "computed"
},
{
"pc": 2106,
"opcode": "CALL",
"returndata_checked": null,
"value_expression_category": "computed",
"target_expression_category": "computed"
}
],
"eth_value_calls": 2,
"guards_detected": [
{
"pc": 717,
"type": "msg_sender_eq_const",
"value": "0xffffffffffffffffffffffffffffffffffffffff"
},
{
"pc": 1102,
"type": "msg_sender_eq_const",
"value": "0xffffffffffffffffffffffffffffffffffffffff"
},
{
"pc": 1409,
"type": "msg_sender_eq_const",
"value": "0xffffffffffffffffffffffffffffffffffffffff"
},
{
"pc": 1629,
"type": "msg_sender_eq_const",
"value": "0xffffffffffffffffffffffffffffffffffffffff"
}
]
}
|