TW
Tripwire
Find contracts. Test them. Review real vulns.

Analysis Run

917b738a-1290-42cc-8b5f-570e216d6432

complete
Chain ID
1
Address
0x02ba2c5835bf84fc03348de86d80cedea60367da
Block Number
Created
Sat, Jan 3, 2026 3:39 AM
Review Summary

What survived the funnel

Open this run to answer one question: is this real attacker-relevant behavior with real impact, or just normal contract plumbing?

back to vulns open contract
Confirmed
0
Validated
0
Source
Bytecode only
Review Backing
Not yet
Best current signal
Untrusted CALL target/value reachable
crit 0 high 0 direct contract
Review Checklist
1. Read the findings table first. Ignore raw jobs until the result looks real.
2. Confirm attacker control, not just the existence of a sink.
3. Confirm money or privilege impact.
4. Keep it if the behavior is real. Kill it if this is normal proxy, admin, or upgrade plumbing.

Processing Jobs

Status & attempts
ID Type Status Attempts Heartbeat
31449 report.consolidate complete 1 / 1 3 months ago
77320 artifact.fetch complete 1 / 3 2 weeks ago
77321 tool.cast_disasm complete 1 / 3 2 weeks ago
77322 analysis.bundle complete 1 / 3 2 weeks ago
77323 capability.graph complete 1 / 3 2 weeks ago
77324 detector.run complete 1 / 3 2 weeks ago
77325 validation.fork complete 1 / 3 2 weeks ago

Artifact

Runtime bytecode: available
Creation TX:
Deployer:
Proxy: no
Implementation:
Verified Source: no

Slither

tool.slither

No slither job recorded yet.

Codex

report.consolidate
Job Status
complete
Attempts
1 / 1
Findings
0
No findings?
yes
Summary
Analyzed runtime bytecode in BYTECODE_BUNDLE.txt; all executable paths are gated by a hardcoded CALLER equality check, and no unauthenticated value-transfer or upgrade path is reachable. No concrete profit extraction path identified from bytecode alone.
View stderr 
[codex:1037327] OpenAI Codex v0.77.0 (research preview)
[codex:1037327] --------
[codex:1037327] workdir: /tmp/codex-multi-vngqs3n4
[codex:1037327] model: gpt-5.2-codex
[codex:1037327] provider: openai
[codex:1037327] approval: never
[codex:1037327] sandbox: read-only
[codex:1037327] reasoning effort: xhigh
[codex:1037327] reasoning summaries: auto
[codex:1037327] session id: 019b81ee-4fda-7233-96eb-da7a8584ec29
[codex:1037327] --------
[codex:1037327] user
[codex:1037327] You are a profit-focused exploit hunter analyzing EVM bytecode. Your ONLY goal is finding ways to extract value (ETH, tokens, NFTs) from this contract.
[codex:1037327] 
[codex:1037327] Read `BYTECODE_BUNDLE.txt` completely before concluding.
[codex:1037327] 
[codex:1037327] ONLY REPORT if you find a CONCRETE, EXPLOITABLE path to profit. We do NOT care about:
[codex:1037327] - Gas inefficiency, code quality, or best practices
[codex:1037327] - Theoretical vulnerabilities without a clear extraction path
[codex:1037327] - Generic footguns (unchecked return values, etc.) unless they enable theft
[codex:1037327] - Issues requiring social engineering or off-chain coordination
[codex:1037327] 
[codex:1037327] PATTERNS WORTH INVESTIGATING in bytecode:
[codex:1037327] - CALL/DELEGATECALL with controllable destination or calldata
[codex:1037327] - Value transfers (CALL with non-zero value) without prior CALLER/ORIGIN checks
[codex:1037327] - SSTORE to low slots (0-10) that might be owner/admin storage
[codex:1037327] - ecrecover (signature validation) - look for missing nonce/replay protection
[codex:1037327] - External calls before state updates (reentrancy)
[codex:1037327] - SELFDESTRUCT with controllable beneficiary
[codex:1037327] - Proxy patterns (DELEGATECALL to storage slot) with unprotected upgrade paths
[codex:1037327] 
[codex:1037327] For each finding, you MUST explain:
[codex:1037327] 1. The specific bytecode pattern/offsets that indicate the vulnerability
[codex:1037327] 2. The concrete sequence of transactions to extract value
[codex:1037327] 3. Why you believe this is exploitable (not just suspicious)
[codex:1037327] 
[codex:1037327] If you cannot identify a concrete profit path from bytecode alone: set no_findings=true.
[codex:1037327] Do NOT hallucinate. Bytecode-only analysis is limited - be honest about uncertainty.
[codex:1037327] 
[codex:1037327] Output MUST be valid JSON matching the provided schema.
[codex:1037327] - severity: info, low, medium, high, critical (use high/critical ONLY for clear extraction paths)
[codex:1037327] - category: access_control, reentrancy, math, oracle, upgradeability, auth, other
[codex:1037327] mcp startup: no servers
[codex:1037327] 
[codex:1037327] thinking
[codex:1037327] **Reading file contents**
[codex:1037327] exec
[codex:1037327] /bin/bash -lc ls in /tmp/codex-multi-vngqs3n4 succeeded in 7ms:
[codex:1037327] BYTECODE_BUNDLE.txt
[codex:1037327] codex-output-schema.json
[codex:1037327] exec
[codex:1037327] /bin/bash -lc 'cat BYTECODE_BUNDLE.txt' in /tmp/codex-multi-vngqs3n4 succeeded in 5ms:
[codex:1037327] Runtime bytecode bundle for best-effort auditing.
[codex:1037327] Note: without verified source, conclusions are low-confidence unless a concrete pattern is visible.
[codex:1037327] 
[codex:1037327] FILE: runtime_bytecode.hex
[codex:1037327] 0x7f000000000000000000000000ad1d68a038fd2586067ef6d135d9628e79c2c924331415606657361561003e575f3560801b4262093a8001175f556066565b5f548063ffffffff1642116050576062565b60801c5f5f5f5f93335a5f5f55f16066575b5f5ffd5b5f5ff3
[codex:1037327] 
[codex:1037327] thinking
[codex:1037327] **Decoding EVM bytecode**
[codex:1037327] exec
[codex:1037327] /bin/bash -lc "python - <<'PY'
[codex:1037327] from eth_utils import to_bytes
[codex:1037327] code_hex='7f000000000000000000000000ad1d68a038fd2586067ef6d135d9628e79c2c924331415606657361561003e575f3560801b4262093a8001175f556066565b5f548063ffffffff1642116050576062565b60801c5f5f5f5f93335a5f5f55f16066575b5f5ffd5b5f5ff3'
[codex:1037327] code=bytes.fromhex(code_hex)
[codex:1037327] 
[codex:1037327] opcodes = {i:op for i,op in enumerate(['STOP','ADD','MUL','SUB','DIV','SDIV','MOD','SMOD','ADDMOD','MULMOD','EXP','SIGNEXTEND','LT','GT','SLT','SGT','EQ','ISZERO','AND','OR','XOR','NOT','BYTE','SHL','SHR','SAR','SHA3']+['']*0)}
[codex:1037327] # better use ethereum opcodes map
[codex:1037327] 
[codex:1037327] opmap={
[codex:1037327] 0x00:'STOP',0x01:'ADD',0x02:'MUL',0x03:'SUB',0x04:'DIV',0x05:'SDIV',0x06:'MOD',0x07:'SMOD',0x08:'ADDMOD',0x09:'MULMOD',0x0a:'EXP',0x0b:'SIGNEXTEND',
[codex:1037327] 0x10:'LT',0x11:'GT',0x12:'SLT',0x13:'SGT',0x14:'EQ',0x15:'ISZERO',0x16:'AND',0x17:'OR',0x18:'XOR',0x19:'NOT',0x1a:'BYTE',0x1b:'SHL',0x1c:'SHR',0x1d:'SAR',
[codex:1037327] 0x20:'SHA3',
[codex:1037327] 0x30:'ADDRESS',0x31:'BALANCE',0x32:'ORIGIN',0x33:'CALLER',0x34:'CALLVALUE',0x35:'CALLDATALOAD',0x36:'CALLDATASIZE',0x37:'CALLDATACOPY',0x38:'CODESIZE',0x39:'CODECOPY',0x3a:'GASPRICE',0x3b:'EXTCODESIZE',0x3c:'EXTCODECOPY',0x3d:'RETURNDATASIZE',0x3e:'RETURNDATACOPY',0x3f:'EXTCODEHASH',
[codex:1037327] 0x40:'BLOCKHASH',0x41:'COINBASE',0x42:'TIMESTAMP',0x43:'NUMBER',0x44:'DIFFICULTY',0x45:'GASLIMIT',0x46:'CHAINID',0x47:'SELFBALANCE',0x48:'BASEFEE',
[codex:1037327] 0x50:'POP',0x51:'MLOAD',0x52:'MSTORE',0x53:'MSTORE8',0x54:'SLOAD',0x55:'SSTORE',0x56:'JUMP',0x57:'JUMPI',0x58:'PC',0x59:'MSIZE',0x5a:'GAS',0x5b:'JUMPDEST',
[codex:1037327] 0x60:'PUSH1',0x61:'PUSH2',0x62:'PUSH3',0x63:'PUSH4',0x64:'PUSH5',0x65:'PUSH6',0x66:'PUSH7',0x67:'PUSH8',0x68:'PUSH9',0x69:'PUSH10',0x6a:'PUSH11',0x6b:'PUSH12',0x6c:'PUSH13',0x6d:'PUSH14',0x6e:'PUSH15',0x6f:'PUSH16',
[codex:1037327] 0x70:'PUSH17',0x71:'PUSH18',0x72:'PUSH19',0x73:'PUSH20',0x74:'PUSH21',0x75:'PUSH22',0x76:'PUSH23',0x77:'PUSH24',0x78:'PUSH25',0x79:'PUSH26',0x7a:'PUSH27',0x7b:'PUSH28',0x7c:'PUSH29',0x7d:'PUSH30',0x7e:'PUSH31',0x7f:'PUSH32',
[codex:1037327] 0x80:'DUP1',0x81:'DUP2',0x82:'DUP3',0x83:'DUP4',0x84:'DUP5',0x85:'DUP6',0x86:'DUP7',0x87:'DUP8',0x88:'DUP9',0x89:'DUP10',0x8a:'DUP11',0x8b:'DUP12',0x8c:'DUP13',0x8d:'DUP14',0x8e:'DUP15',0x8f:'DUP16',
[codex:1037327] 0x90:'SWAP1',0x91:'SWAP2',0x92:'SWAP3',0x93:'SWAP4',0x94:'SWAP5',0x95:'SWAP6',0x96:'SWAP7',0x97:'SWAP8',0x98:'SWAP9',0x99:'SWAP10',0x9a:'SWAP11',0x9b:'SWAP12',0x9c:'SWAP13',0x9d:'SWAP14',0x9e:'SWAP15',0x9f:'SWAP16',
[codex:1037327] 0xa0:'LOG0',0xa1:'LOG1',0xa2:'LOG2',0xa3:'LOG3',0xa4:'LOG4',
[codex:1037327] 0xf0:'CREATE',0xf1:'CALL',0xf2:'CALLCODE',0xf3:'RETURN',0xf4:'DELEGATECALL',0xf5:'CREATE2',0xfa:'STATICCALL',0xfd:'REVERT',0xfe:'INVALID',0xff:'SELFDESTRUCT'
[codex:1037327] }
[codex:1037327] 
[codex:1037327] pc=0
[codex:1037327] out=[]
[codex:1037327] while pc<len(code):
[codex:1037327]     op=code[pc]
[codex:1037327]     name=opmap.get(op,hex(op))
[codex:1037327]     if 0x60<=op<=0x7f:
[codex:1037327]         n=op-0x5f
[codex:1037327]         data=code[pc+1:pc+1+n]
[codex:1037327]         out.append((pc,name,data.hex()))
[codex:1037327]         pc+=1+n
[codex:1037327]     else:
[codex:1037327]         out.append((pc,name,''))
[codex:1037327]         pc+=1
[codex:1037327] 
[codex:1037327] for pc,name,arg in out:
[codex:1037327]     if arg:
[codex:1037327]         print(f\"{pc:04x}: {name} 0x{arg}\")
[codex:1037327]     else:
[codex:1037327]         print(f\"{pc:04x}: {name}\")
[codex:1037327] PY" in /tmp/codex-multi-vngqs3n4 succeeded in 229ms:
[codex:1037327] 0000: PUSH32 0x000000000000000000000000ad1d68a038fd2586067ef6d135d9628e79c2c924
[codex:1037327] 0021: CALLER
[codex:1037327] 0022: EQ
[codex:1037327] 0023: ISZERO
[codex:1037327] 0024: PUSH1 0x66
[codex:1037327] 0026: JUMPI
[codex:1037327] 0027: CALLDATASIZE
[codex:1037327] 0028: ISZERO
[codex:1037327] 0029: PUSH2 0x003e
[codex:1037327] 002c: JUMPI
[codex:1037327] 002d: 0x5f
[codex:1037327] 002e: CALLDATALOAD
[codex:1037327] 002f: PUSH1 0x80
[codex:1037327] 0031: SHL
[codex:1037327] 0032: TIMESTAMP
[codex:1037327] 0033: PUSH3 0x093a80
[codex:1037327] 0037: ADD
[codex:1037327] 0038: OR
[codex:1037327] 0039: 0x5f
[codex:1037327] 003a: SSTORE
[codex:1037327] 
[codex:1037327] 
[codex:1037327] thinking
[codex:1037327] **Analyzing EVM bytecode logic and access control**
[codex:1037327] thinking
[codex:1037327] **Preparing JSON no-findings report**
[codex:1037327] 
[codex:1037327] I'm composing a JSON response confirming no vulnerabilities found in the analyzed bytecode, with a clear summary and empty findings array as the user requested.
[codex:1037327] codex
[codex:1037327] {"no_findings":true,"summary":"Analyzed runtime bytecode in BYTECODE_BUNDLE.txt; all executable paths are gated by a hardcoded CALLER equality check, and no unauthenticated value-transfer or upgrade path is reachable. No concrete profit extraction path identified from bytecode alone.","findings":[]}
[codex:1037327] tokens used
[codex:1037327] 10,830
[codex:1037327] {"no_findings":true,"summary":"Analyzed runtime bytecode in BYTECODE_BUNDLE.txt; all executable paths are gated by a hardcoded CALLER equality check, and no unauthenticated value-transfer or upgrade path is reachable. No concrete profit extraction path identified from bytecode alone.","findings":[]}
Metadata 
{
    "codex": {
        "ran_at": "2026-01-03T03:39:17.766430+00:00",
        "returncode": 0
    },
    "summary": "Analyzed runtime bytecode in BYTECODE_BUNDLE.txt; all executable paths are gated by a hardcoded CALLER equality check, and no unauthenticated value-transfer or upgrade path is reachable. No concrete profit extraction path identified from bytecode alone.",
    "raw_final": {
        "summary": "Analyzed runtime bytecode in BYTECODE_BUNDLE.txt; all executable paths are gated by a hardcoded CALLER equality check, and no unauthenticated value-transfer or upgrade path is reachable. No concrete profit extraction path identified from bytecode alone.",
        "findings": [],
        "no_findings": true
    },
    "no_findings": true,
    "schema_version": 1
}

Opcode Heuristics

tool.cast_disasm
Delegatecall
0
Selfdestruct
0
CREATE2
0
CALL-family (heavy)
1
EXT*/BALANCE
0
Total opcodes
58
Flags
No heuristic flags raised.
View cast disassembly output 
00000000: PUSH32 0x000000000000000000000000ad1d68a038fd2586067ef6d135d9628e79c2c924
00000021: CALLER
00000022: EQ
00000023: ISZERO
00000024: PUSH1 0x66
00000026: JUMPI
00000027: CALLDATASIZE
00000028: ISZERO
00000029: PUSH2 0x003e
0000002c: JUMPI
0000002d: PUSH0
0000002e: CALLDATALOAD
0000002f: PUSH1 0x80
00000031: SHL
00000032: TIMESTAMP
00000033: PUSH3 0x093a80
00000037: ADD
00000038: OR
00000039: PUSH0
0000003a: SSTORE
0000003b: PUSH1 0x66
0000003d: JUMP
0000003e: JUMPDEST
0000003f: PUSH0
00000040: SLOAD
00000041: DUP1
00000042: PUSH4 0xffffffff
00000047: AND
00000048: TIMESTAMP
00000049: GT
0000004a: PUSH1 0x50
0000004c: JUMPI
0000004d: PUSH1 0x62
0000004f: JUMP
00000050: JUMPDEST
00000051: PUSH1 0x80
00000053: SHR
00000054: PUSH0
00000055: PUSH0
00000056: PUSH0
00000057: PUSH0
00000058: SWAP4
00000059: CALLER
0000005a: GAS
0000005b: PUSH0
0000005c: PUSH0
0000005d: SSTORE
0000005e: CALL
0000005f: PUSH1 0x66
00000061: JUMPI
00000062: JUMPDEST
00000063: PUSH0
00000064: PUSH0
00000065: REVERT
00000066: JUMPDEST
00000067: PUSH0
00000068: PUSH0
00000069: RETURN

Findings

validated = confirmed for call sinks; sink observed for others
Severity Category Tool Title Confidence Validated Confirmed Details
medium other detector Untrusted CALL target/value reachable 45 no no
view
trace_id: 0xdb1d7bd0035476060c9bce46e955334162995a21a1e4a1e78467d83771d77f98
call_targets: 0x02ba2c5835bf84fc03348de86d80cedea60367da
target_varies: no
classification: constant_target
validation_json 
{
    "sink": "CALL",
    "errors": 0,
    "status": "sink_reached",
    "attempts": 1,
    "trace_id": "0xdb1d7bd0035476060c9bce46e955334162995a21a1e4a1e78467d83771d77f98",
    "confirmed": false,
    "trace_mode": "callTracer",
    "call_targets": [
        "0x02ba2c5835bf84fc03348de86d80cedea60367da"
    ],
    "matched_probe": null,
    "target_varies": false,
    "classification": "constant_target"
}
witness_json 
{
    "notes": "heuristic witness; entrypoints are best-effort selectors with zeroed calldata",
    "constraints": [],
    "entrypoints": [
        {
            "calldata": "0x",
            "selector": "fallback",
            "calldata_variants": [
                "0x"
            ]
        }
    ]
}
evidence_json 
{
    "examples": [
        {
            "pc": 94,
            "opcode": "CALL",
            "returndata_checked": null,
            "value_expression_category": "constant_zero",
            "target_expression_category": "computed"
        }
    ],
    "call_count": 1,
    "guards_detected": [
        {
            "pc": 34,
            "type": "msg_sender_eq_const",
            "value": 9.883112391619485e+47
        }
    ],
    "untrusted_call_count": 1
}