96fafab8-2326-4b10-82d3-5a437d4d2346
Open this run to answer one question: is this real attacker-relevant behavior with real impact, or just normal contract plumbing?
| ID | Type | Status | Attempts | Heartbeat |
|---|---|---|---|---|
| 31469 | report.consolidate | complete | 1 / 1 | 3 months ago |
| 77440 | artifact.fetch | complete | 1 / 3 | 1 week ago |
| 77441 | tool.cast_disasm | complete | 1 / 3 | 1 week ago |
| 77442 | analysis.bundle | complete | 1 / 3 | 1 week ago |
| 77443 | capability.graph | complete | 1 / 3 | 1 week ago |
| 77444 | detector.run | complete | 1 / 3 | 1 week ago |
| 77445 | validation.fork | complete | 1 / 3 | 1 week ago |
No slither job recorded yet.
[codex:373128] OpenAI Codex v0.77.0 (research preview)
[codex:373128] --------
[codex:373128] workdir: /tmp/codex-multi-ruq3xtn1
[codex:373128] model: gpt-5.2-codex
[codex:373128] provider: openai
[codex:373128] approval: never
[codex:373128] sandbox: read-only
[codex:373128] reasoning effort: xhigh
[codex:373128] reasoning summaries: auto
[codex:373128] session id: 019b85e5-f246-7a23-b7f2-22cb25c165a2
[codex:373128] --------
[codex:373128] user
[codex:373128] You are a profit-focused exploit hunter analyzing EVM bytecode. Your ONLY goal is finding ways to extract value (ETH, tokens, NFTs) from this contract.
[codex:373128]
[codex:373128] Read `BYTECODE_BUNDLE.txt` completely before concluding.
[codex:373128]
[codex:373128] ONLY REPORT if you find a CONCRETE, EXPLOITABLE path to profit. We do NOT care about:
[codex:373128] - Gas inefficiency, code quality, or best practices
[codex:373128] - Theoretical vulnerabilities without a clear extraction path
[codex:373128] - Generic footguns (unchecked return values, etc.) unless they enable theft
[codex:373128] - Issues requiring social engineering or off-chain coordination
[codex:373128]
[codex:373128] PATTERNS WORTH INVESTIGATING in bytecode:
[codex:373128] - CALL/DELEGATECALL with controllable destination or calldata
[codex:373128] - Value transfers (CALL with non-zero value) without prior CALLER/ORIGIN checks
[codex:373128] - SSTORE to low slots (0-10) that might be owner/admin storage
[codex:373128] - ecrecover (signature validation) - look for missing nonce/replay protection
[codex:373128] - External calls before state updates (reentrancy)
[codex:373128] - SELFDESTRUCT with controllable beneficiary
[codex:373128] - Proxy patterns (DELEGATECALL to storage slot) with unprotected upgrade paths
[codex:373128]
[codex:373128] For each finding, you MUST explain:
[codex:373128] 1. The specific bytecode pattern/offsets that indicate the vulnerability
[codex:373128] 2. The concrete sequence of transactions to extract value
[codex:373128] 3. Why you believe this is exploitable (not just suspicious)
[codex:373128]
[codex:373128] If you cannot identify a concrete profit path from bytecode alone: set no_findings=true.
[codex:373128] Do NOT hallucinate. Bytecode-only analysis is limited - be honest about uncertainty.
[codex:373128]
[codex:373128] Output MUST be valid JSON matching the provided schema.
[codex:373128] - severity: info, low, medium, high, critical (use high/critical ONLY for clear extraction paths)
[codex:373128] - category: access_control, reentrancy, math, oracle, upgradeability, auth, other
[codex:373128] mcp startup: no servers
[codex:373128]
[codex:373128] thinking
[codex:373128] **Deciding how to read file**
[codex:373128] exec
[codex:373128] /bin/bash -lc ls in /tmp/codex-multi-ruq3xtn1 succeeded in 6ms:
[codex:373128] BYTECODE_BUNDLE.txt
[codex:373128] codex-output-schema.json
[codex:373128] exec
[codex:373128] /bin/bash -lc 'cat BYTECODE_BUNDLE.txt' in /tmp/codex-multi-ruq3xtn1 succeeded in 6ms:
[codex:373128] Runtime bytecode bundle for best-effort auditing.
[codex:373128] Note: without verified source, conclusions are low-confidence unless a concrete pattern is visible.
[codex:373128]
[codex:373128] FILE: runtime_bytecode.hex
[codex:373128] 0x60806040526004361061007b5760003560e01c8063ab15f6911161004e578063ab15f6911461016b578063d6356cd01461019e578063e75f7ddb146101e2578063fd8c06c6146102285761007b565b8063042a28471461007d578063425132f0146100b057806363920c09146100fd578063a6c0792414610130575b005b34801561008957600080fd5b5061007b600480360360208110156100a057600080fd5b50356001600160a01b031661025b565b3480156100bc57600080fd5b506100eb600480360360408110156100d357600080fd5b506001600160a01b038135811691602001351661039b565b60408051918252519081900360200190f35b34801561010957600080fd5b506100eb6004803603602081101561012057600080fd5b50356001600160a01b03166103b5565b34801561013c57600080fd5b5061007b6004803603604081101561015357600080fd5b506001600160a01b03813581169160200135166103c7565b34801561017757600080fd5b5061007b6004803603602081101561018e57600080fd5b50356001600160a01b031661045e565b61007b600480360360a08110156101b457600080fd5b506001600160a01b03813581169160208101359160408201359160608101359091169060800135151561054a565b3480156101ee57600080fd5b5061020c6004803603602081101561020557600080fd5b50356106cc565b604080516001600160a01b039092168252519081900360200190f35b34801561023457600080fd5b506100eb6004803603602081101561024b57600080fd5b50356001600160a01b03166106f3565b6001600160a01b0381166000818152600360205260408120909183908390610285575030316102fd565b60408051600160e01b6370a0823102815230600482015290516001600160a01b038416916370a08231916024808301926020929190829003018186803b1580156102ce57600080fd5b505afa1580156102e2573d6000803e3d6000fd5b505050506040513d60208110156102f857600080fd5b505190505b6001600160a01b03851660009081526001602052604090205461032790829063ffffffff61070516565b905060005b6002548110156103895760006002828154811061034557fe5b6000918252602090912001546001600160a01b0316905085806103705750336001600160a01b038216145b955061037e8588838661071c565b92505060010161032c565b508361039457600080fd5b5050505050565b600060208181529281526040808220909352908152205481565b60016020526000908152604090205481565b6001600160a01b03808316600090815260208181526040808320938516835292905220548015610459576001600160a01b03821660009081526001602052604090205461041a908263ffffffff61070516565b6001600160a01b038084166000818152600160209081526040808320959095559287168152808352838120918152915290812055610459828483610773565b505050565b61046960023361087a565b61047257600080fd5b6001600160a01b03811660008181526003602052604081209183919061049a57503031610512565b60408051600160e01b6370a0823102815230600482015290516001600160a01b038416916370a08231916024808301926020929190829003018186803b1580156104e357600080fd5b505afa1580156104f7573d6000803e3d6000fd5b505050506040513d602081101561050d57600080fd5b505190505b6001600160a01b03841660009081526001602052604090205461053c90829063ffffffff61070516565b90506103948385338461071c565b82841015801561055a5750600084115b61056357600080fd5b6001600160a01b0385166105825783341461057d57600080fd5b61061a565b341561058d57600080fd5b60408051600160e01b6323b872dd0281523360048201523060248201526044810186905290516001600160a01b038716916323b872dd9160648083019260209291908290030181600087803b1580156105e557600080fd5b505af11580156105f9573d6000803e3d6000fd5b505050506040513d602081101561060f57600080fd5b505161061a57600080fd5b821561039457801561063657610631858385610773565b610394565b6001600160a01b03851660009081526001602052604090205461065f908463ffffffff6108d416565b6001600160a01b038087166000818152600160209081526040808320959095559286168152808352838120918152915220546106a1908463ffffffff6108d416565b6001600160a01b03808416600090815260208181526040808320938a16835292905220555050505050565b600281815481106106d957fe5b6000918252602090912001546001600160a01b0316905081565b60036020526000908152604090205481565b60008282111561071157fe5b508082035b92915050565b60408051808201909152600181526002546020820152600090819061074c9087908690869063ffffffff6108ea16565b9050610759858583610773565b610769838263ffffffff61070516565b9695505050505050565b6001600160a01b0383166107e5576040516000906001600160a01b0384169083908381818185875af1925050503d80600081146107cc576040519150601f19603f3d011682016040523d82523d6000602084013e6107d1565b606091505b50509050806107df57600080fd5b50610459565b826001600160a01b031663a9059cbb83836040518363ffffffff1660e01b815260040180836001600160a01b03166001600160a01b0316815260200182815260200192505050602060405180830381600087803b15801561084557600080fd5b505af1158015610859573d6000803e3d6000fd5b505050506040513d602081101561086f57600080fd5b505161045957600080fd5b6000805b83548110156108ca57826001600160a01b031684828154811061089d57fe5b6000918252602090912001546001600160a01b031614156108c2576001915050610716565b60010161087e565b5060009392505050565b6000828201838110156108e357fe5b9392505050565b6000806109146109078760000154866108d490919063ffffffff16565b849063ffffffff6109b716565b6001600160a01b03861660009081526001880160205260409020549091508181111561093c57fe5b600061094e838363ffffffff61070516565b6001600160a01b038816600090815260018a01602052604090205490915061097c908263ffffffff6108d416565b6001600160a01b038816600090815260018a01602052604090205587546109a9908263ffffffff6108d416565b885592505050949350505050565b602082015182516000916108e3916109d09085906109dc565b9063ffffffff610a0016565b6000826109eb57506000610716565b828202828482816109f857fe5b04146108e357fe5b6000818381610a0b57fe5b04939250505056fea165627a7a723058209ef515db81b58339bf0a7c3dba8ea97470620190b831dec8fc1bdd0ac2804acb0029
[codex:373128]
[codex:373128] thinking
[codex:373128] **Analyzing bytecode for exploits**
[codex:373128]
[codex:373128] I'm examining the contract's runtime bytecode to identify function selectors and decode their behavior, focusing on potential exploit paths involving ERC20 token calls like transfer and transferFrom. Since the environment is read-only without network access, I'm planning to write a simple Python disassembler script to parse and understand the logic better.
[codex:373128] exec
[codex:373128] /bin/bash -lc "python - <<'PY'
[codex:373128] import binascii
[codex:373128] code=open('BYTECODE_BUNDLE.txt').read().split('runtime_bytecode.hex')[1]
[codex:373128] # extract hex after newline
[codex:373128] import re
[codex:373128] m=re.search(r'0x[0-9a-fA-F]+',code)
[codex:373128] hexcode=m.group(0)[2:]
[codex:373128] codebytes=bytes.fromhex(hexcode)
[codex:373128] ops={
[codex:373128] 0x00:'STOP',0x01:'ADD',0x02:'MUL',0x03:'SUB',0x04:'DIV',0x05:'SDIV',0x06:'MOD',0x07:'SMOD',0x08:'ADDMOD',0x09:'MULMOD',0x0a:'EXP',0x0b:'SIGNEXTEND',
[codex:373128] 0x10:'LT',0x11:'GT',0x12:'SLT',0x13:'SGT',0x14:'EQ',0x15:'ISZERO',0x16:'AND',0x17:'OR',0x18:'XOR',0x19:'NOT',0x1a:'BYTE',0x1b:'SHL',0x1c:'SHR',0x1d:'SAR',
[codex:373128] 0x20:'SHA3',
[codex:373128] 0x30:'ADDRESS',0x31:'BALANCE',0x32:'ORIGIN',0x33:'CALLER',0x34:'CALLVALUE',0x35:'CALLDATALOAD',0x36:'CALLDATASIZE',0x37:'CALLDATACOPY',0x38:'CODESIZE',0x39:'CODECOPY',0x3a:'GASPRICE',0x3b:'EXTCODESIZE',0x3c:'EXTCODECOPY',0x3d:'RETURNDATASIZE',0x3e:'RETURNDATACOPY',0x3f:'EXTCODEHASH',
[codex:373128] 0x40:'BLOCKHASH',0x41:'COINBASE',0x42:'TIMESTAMP',0x43:'NUMBER',0x44:'DIFFICULTY',0x45:'GASLIMIT',0x46:'CHAINID',0x47:'SELFBALANCE',0x48:'BASEFEE',
[codex:373128] 0x50:'POP',0x51:'MLOAD',0x52:'MSTORE',0x53:'MSTORE8',0x54:'SLOAD',0x55:'SSTORE',0x56:'JUMP',0x57:'JUMPI',0x58:'PC',0x59:'MSIZE',0x5a:'GAS',0x5b:'JUMPDEST',
[codex:373128] 0x60:'PUSH1',0x61:'PUSH2',0x62:'PUSH3',0x63:'PUSH4',0x64:'PUSH5',0x65:'PUSH6',0x66:'PUSH7',0x67:'PUSH8',0x68:'PUSH9',0x69:'PUSH10',0x6a:'PUSH11',0x6b:'PUSH12',0x6c:'PUSH13',0x6d:'PUSH14',0x6e:'PUSH15',0x6f:'PUSH16',
[codex:373128] 0x70:'PUSH17',0x71:'PUSH18',0x72:'PUSH19',0x73:'PUSH20',0x74:'PUSH21',0x75:'PUSH22',0x76:'PUSH23',0x77:'PUSH24',0x78:'PUSH25',0x79:'PUSH26',0x7a:'PUSH27',0x7b:'PUSH28',0x7c:'PUSH29',0x7d:'PUSH30',0x7e:'PUSH31',0x7f:'PUSH32',
[codex:373128] 0x80:'DUP1',0x81:'DUP2',0x82:'DUP3',0x83:'DUP4',0x84:'DUP5',0x85:'DUP6',0x86:'DUP7',0x87:'DUP8',0x88:'DUP9',0x89:'DUP10',0x8a:'DUP11',0x8b:'DUP12',0x8c:'DUP13',0x8d:'DUP14',0x8e:'DUP15',0x8f:'DUP16',
[codex:373128] 0x90:'SWAP1',0x91:'SWAP2',0x92:'SWAP3',0x93:'SWAP4',0x94:'SWAP5',0x95:'SWAP6',0x96:'SWAP7',0x97:'SWAP8',0x98:'SWAP9',0x99:'SWAP10',0x9a:'SWAP11',0x9b:'SWAP12',0x9c:'SWAP13',0x9d:'SWAP14',0x9e:'SWAP15',0x9f:'SWAP16',
[codex:373128] 0xa0:'LOG0',0xa1:'LOG1',0xa2:'LOG2',0xa3:'LOG3',0xa4:'LOG4',
[codex:373128] 0xf0:'CREATE',0xf1:'CALL',0xf2:'CALLCODE',0xf3:'RETURN',0xf4:'DELEGATECALL',0xf5:'CREATE2',0xfa:'STATICCALL',0xfd:'REVERT',0xfe:'INVALID',0xff:'SELFDESTRUCT'
[codex:373128] }
[codex:373128]
[codex:373128] pc=0
[codex:373128] out=[]
[codex:373128] while pc<len(codebytes):
[codex:373128] op=codebytes[pc]
[codex:373128] name=ops.get(op,'UNKNOWN')
[codex:373128] if 0x60<=op<=0x7f:
[codex:373128] n=op-0x5f
[codex:373128] data=codebytes[pc+1:pc+1+n]
[codex:373128] out.append(f\"{pc:04x}: {name} 0x{data.hex()}\")
[codex:373128] pc+=1+n
[codex:373128] else:
[codex:373128] out.append(f\"{pc:04x}: {name}\")
[codex:373128] pc+=1
[codex:373128]
[codex:373128] print('\\n'.join(out))
[codex:373128] PY" in /tmp/codex-multi-ruq3xtn1 succeeded in 26ms:
[codex:373128] 0000: PUSH1 0x80
[codex:373128] 0002: PUSH1 0x40
[codex:373128] 0004: MSTORE
[codex:373128] 0005: PUSH1 0x04
[codex:373128] 0007: CALLDATASIZE
[codex:373128] 0008: LT
[codex:373128] 0009: PUSH2 0x007b
[codex:373128] 000c: JUMPI
[codex:373128] 000d: PUSH1 0x00
[codex:373128] 000f: CALLDATALOAD
[codex:373128] 0010: PUSH1 0xe0
[codex:373128] 0012: SHR
[codex:373128] 0013: DUP1
[codex:373128] 0014: PUSH4 0xab15f691
[codex:373128] 0019: GT
[codex:373128] 001a: PUSH2 0x004e
[codex:373128] 001d: JUMPI
[codex:373128] 001e: DUP1
[codex:373128] 001f: PUSH4 0xab15f691
[codex:373128] 0024: EQ
[codex:373128]
[codex:373128]
[codex:373128] thinking
[codex:373128] **Analyzing storage and function stack usage**
[codex:373128] thinking
[codex:373128] **Verifying stack depth assumptions and call paths**
[codex:373128]
[codex:373128] I'm tracing stack items carefully to explain how the internal function avoids stack underflow at DUP4 despite seeming to have only three items. It looks like there might be conditional branches or subtle calling conventions ensuring enough stack values, so the external calls and dispatcher interplay require deeper analysis to confirm consistent stack depths at runtime.
[codex:373128] exec
[codex:373128] /bin/bash -lc "python - <<'PY'
[codex:373128] import re
[codex:373128] hexcode=re.search(r'0x[0-9a-fA-F]+',open('BYTECODE_BUNDLE.txt').read()).group(0)[2:]
[codex:373128] code=bytes.fromhex(hexcode)
[codex:373128] start=0x0258; end=0x0288
[codex:373128] for i in range(start,end):
[codex:373128] print(f\"{i:04x}: {code[i]:02x}\")
[codex:373128] PY" in /tmp/codex-multi-ruq3xtn1 succeeded in 24ms:
[codex:373128] 0258: 06
[codex:373128] 0259: f3
[codex:373128] 025a: 56
[codex:373128] 025b: 5b
[codex:373128] 025c: 60
[codex:373128] 025d: 01
[codex:373128] 025e: 60
[codex:373128] 025f: 01
[codex:373128] 0260: 60
[codex:373128] 0261: a0
[codex:373128] 0262: 1b
[codex:373128] 0263: 03
[codex:373128] 0264: 81
[codex:373128] 0265: 16
[codex:373128] 0266: 60
[codex:373128] 0267: 00
[codex:373128] 0268: 81
[codex:373128] 0269: 81
[codex:373128] 026a: 52
[codex:373128] 026b: 60
[codex:373128]
[codex:373128]
[codex:373128]
[codex:373128] thinking
[codex:373128] **Analyzing EVM stack and function call patterns**
[codex:373128]
[codex:373128] I'm decoding bytecode to understand stack operations, especially why DUP4 appears and how the function parameters align on the stack; I’m exploring if certain functions are unreachable due to stack underflow. I'm also investigating if there are any risky value transfers or unchecked calls that might indicate potential exploits.
[codex:373128] thinking
[codex:373128] **Examining access checks and fund transfer logic**
[codex:373128]
[codex:373128] I’m tracing how internal function 0x0773 handles token and ETH transfers, checking what external functions call it and whether access control properly restricts who can trigger these transfers. I’m also analyzing storage and call flow to understand if funds could be moved without authorization.
[codex:373128] thinking
[codex:373128] **Investigating authorization list management**
[codex:373128]
[codex:373128] I’m checking if the contract allows unauthorized modification of the membership array stored at slot 2, which controls access to privileged functions; I’m analyzing storage writes and internal calls to see if any external functions permit attackers to add themselves to that list.
[codex:373128] exec
[codex:373128] /bin/bash -lc "python - <<'PY'
[codex:373128] import re
[codex:373128] hexcode=re.search(r'0x[0-9a-fA-F]+',open('BYTECODE_BUNDLE.txt').read()).group(0)[2:]
[codex:373128] # find occurrences of '6002' followed by '55'
[codex:373128] for m in re.finditer('600255', hexcode):
[codex:373128] print(hex(m.start()//2))
[codex:373128] PY" in /tmp/codex-multi-ruq3xtn1 succeeded in 23ms:
[codex:373128]
[codex:373128]
[codex:373128] thinking
[codex:373128] **Listing SSTORE offsets**
[codex:373128] exec
[codex:373128] /bin/bash -lc "python - <<'PY'
[codex:373128] import re
[codex:373128] hexcode=re.search(r'0x[0-9a-fA-F]+',open('BYTECODE_BUNDLE.txt').read()).group(0)[2:]
[codex:373128] code=bytes.fromhex(hexcode)
[codex:373128] for i,b in enumerate(code):
[codex:373128] if b==0x55:
[codex:373128] print(hex(i))
[codex:373128] PY" in /tmp/codex-multi-ruq3xtn1 succeeded in 25ms:
[codex:373128] 0x43a
[codex:373128] 0x44e
[codex:373128] 0x67f
[codex:373128] 0x6c5
[codex:373128] 0x997
[codex:373128] 0x9ab
[codex:373128]
[codex:373128] thinking
[codex:373128] **Investigating storage updates and access control**
[codex:373128] exec
[codex:373128] /bin/bash -lc "python - <<'PY'
[codex:373128] import re
[codex:373128] hexcode=re.search(r'0x[0-9a-fA-F]+',open('BYTECODE_BUNDLE.txt').read()).group(0)[2:]
[codex:373128] code=bytes.fromhex(hexcode)
[codex:373128] for i,b in enumerate(code):
[codex:373128] if b==0x33: # CALLER
[codex:373128] print(hex(i))
[codex:373128] PY" in /tmp/codex-multi-ruq3xtn1 succeeded in 22ms:
[codex:373128] 0x364
[codex:373128] 0x464
[codex:373128] 0x544
[codex:373128] 0x59f
[codex:373128]
[codex:373128] thinking
[codex:373128] **Analyzing contract caller usage and parameter stack**
[codex:373128]
[codex:373128] I'm dissecting how the contract uses the CALLER and parameters, especially focusing on the stack order during a critical function. I'm piecing together how token address and caller are passed using stack offsets and trying to simulate the stub’s stack to clarify parameter positions and ensure correct interpretation of the EVM instructions. This method may reveal how token and value checks operate inside the function.
[codex:373128] exec
[codex:373128] /bin/bash -lc "python - <<'PY'
[codex:373128] # symbolic simulation for stub starting at 0x019e until jump to 0x054a
[codex:373128] import re
[codex:373128] hexcode=re.search(r'0x[0-9a-fA-F]+',open('BYTECODE_BUNDLE.txt').read()).group(0)[2:]
[codex:373128] code=bytes.fromhex(hexcode)
[codex:373128] # disassemble with mapping
[codex:373128] ops={
[codex:373128] **{i:'STOP' for i in []}
[codex:373128] }
[codex:373128] # minimal mapping
[codex:373128] opnames={
[codex:373128] 0x00:'STOP',0x01:'ADD',0x02:'MUL',0x03:'SUB',0x04:'DIV',0x10:'LT',0x14:'EQ',0x15:'ISZERO',0x16:'AND',0x20:'SHA3',0x30:'ADDRESS',0x31:'BALANCE',0x33:'CALLER',0x34:'CALLVALUE',0x35:'CALLDATALOAD',0x36:'CALLDATASIZE',0x50:'POP',0x56:'JUMP',0x57:'JUMPI',0x5b:'JUMPDEST',0x60:'PUSH1',0x61:'PUSH2',0x62:'PUSH3',0x63:'PUSH4',0x64:'PUSH5',0x65:'PUSH6',0x66:'PUSH7',0x67:'PUSH8',0x68:'PUSH9',0x69:'PUSH10',0x6a:'PUSH11',0x6b:'PUSH12',0x6c:'PUSH13',0x6d:'PUSH14',0x6e:'PUSH15',0x6f:'PUSH16',0x70:'PUSH17',0x71:'PUSH18',0x72:'PUSH19',0x73:'PUSH20',0x74:'PUSH21',0x75:'PUSH22',0x76:'PUSH23',0x77:'PUSH24',0x78:'PUSH25',0x79:'PUSH26',0x7a:'PUSH27',0x7b:'PUSH28',0x7c:'PUSH29',0x7d:'PUSH30',0x7e:'PUSH31',0x7f:'PUSH32',
[codex:373128] 0x80:'DUP1',0x81:'DUP2',0x82:'DUP3',0x83:'DUP4',0x84:'DUP5',0x85:'DUP6',0x86:'DUP7',0x87:'DUP8',0x88:'DUP9',0x89:'DUP10',0x8a:'DUP11',0x8b:'DUP12',0x8c:'DUP13',0x8d:'DUP14',0x8e:'DUP15',0x8f:'DUP16',
[codex:373128] 0x90:'SWAP1',0x91:'SWAP2',0x92:'SWAP3',0x93:'SWAP4',0x94:'SWAP5',0x95:'SWAP6',0x96:'SWAP7',0x97:'SWAP8',0x98:'SWAP9',0x99:'SWAP10',0x9a:'SWAP11',0x9b:'SWAP12',0x9c:'SWAP13',0x9d:'SWAP14',0x9e:'SWAP15',0x9f:'SWAP16',
[codex:373128] 0xfd:'REVERT'
[codex:373128] }
[codex:373128]
[codex:373128] # simple stack simulation storing labels
[codex:373128] stack=[]
[codex:373128] labels_counter=0
[codex:373128]
[codex:373128] def push(val):
[codex:373128] stack.append(val)
[codex:373128]
[codex:373128]
[codex:373128] def pop():
[codex:373128] return stack.pop() if stack else 'UNDER'
[codex:373128]
[codex:373128] # Start at 0x019e
[codex:373128] pc=0x019e
[codex:373128] # initialize stack as in dispatcher when jumping to 0x019e
[codex:373128] # assume selector remains on stack
[codex:373128] stack=['selector']
[codex:373128]
[codex:373128] # run until JUMP to 0x054a
[codex:373128] while pc < len(code):
[codex:373128] op=code[pc]
[codex:373128] name=opnames.get(op,f'OP{op:02x}')
[codex:373128] # print(pc, name, stack)
[codex:373128] if op==0x5b: # JUMPDEST
[codex:373128] pc+=1; continue
[codex:373128] if 0x60<=op<=0x7f:
[codex:373128] n=op-0x5f; data=code[pc+1:pc+1+n];
[codex:373128] push(int.from_bytes(data,'big'))
[codex:373128] pc+=1+n; continue
[codex:373128] if name.startswith('DUP'):
[codex:373128] idx=int(name[3:])
[codex:373128] push(stack[-idx])
[codex:373128] pc+=1; continue
[codex:373128] if name.startswith('SWAP'):
[codex:373128] idx=int(name[4:])
[codex:373128] # swap top with idx+1
[codex:373128] stack[-1], stack[-1-idx] = stack[-1-idx], stack[-1]
[codex:373128] pc+=1; continue
[codex:373128] if name=='POP':
[codex:373128] pop(); pc+=1; continue
[codex:373128] if name=='CALLDATALOAD':
[codex:373128] offset=pop()
[codex:373128] push(f'calldata@{offset}')
[codex:373128] pc+=1; continue
[codex:373128] if name=='CALLDATASIZE':
[codex:373128] push('calldatasize'); pc+=1; continue
[codex:373128] if name=='SUB':
[codex:373128] b=pop(); a=pop(); push(f'({a}-{b})'); pc+=1; continue
[codex:373128] if name=='ADD':
[codex:373128] b=pop(); a=pop(); push(f'({a}+{b})'); pc+=1; continue
[codex:373128] if name=='LT':
[codex:373128] b=pop(); a=pop(); push(f'({a}<{b})'); pc+=1; continue
[codex:373128] if name=='ISZERO':
[codex:373128] a=pop(); push(f'iszero({a})'); pc+=1; continue
[codex:373128] if name=='AND':
[codex:373128] b=pop(); a=pop(); push(f'({a}&{b})'); pc+=1; continue
[codex:373128] if name=='CALLVALUE':
[codex:373128] push('callvalue'); pc+=1; continue
[codex:373128] if name=='JUMPI':
[codex:373128] dest=pop(); cond=pop(); pc+=1; continue
[codex:373128] if name=='JUMP':
[codex:373128] dest=pop();
[codex:373128] # stop at jump to 0x054a
[codex:373128] if dest==0x054a:
[codex:373128] print('Stack at jump to 0x054a:')
[codex:373128] print(stack)
[codex:373128] break
[codex:373128] else:
[codex:373128] # just jump not handled
[codex:373128] pc+=1; continue
[codex:373128] if name=='REVERT':
[codex:373128] break
[codex:373128] else:
[codex:373128] # ignore other ops
[codex:373128] pc+=1
[codex:373128]
[codex:373128] PY" in /tmp/codex-multi-ruq3xtn1 succeeded in 23ms:
[codex:373128]
[codex:373128]
[codex:373128] thinking
[codex:373128] **Analyzing missing JUMP execution**
[codex:373128] exec
[codex:373128] /bin/bash -lc "python - <<'PY'
[codex:373128] import re
[codex:373128] hexcode=re.search(r'0x[0-9a-fA-F]+',open('BYTECODE_BUNDLE.txt').read()).group(0)[2:]
[codex:373128] code=bytes.fromhex(hexcode)
[codex:373128] opnames={0x00:'STOP',0x01:'ADD',0x02:'MUL',0x03:'SUB',0x04:'DIV',0x10:'LT',0x14:'EQ',0x15:'ISZERO',0x16:'AND',0x20:'SHA3',0x30:'ADDRESS',0x31:'BALANCE',0x33:'CALLER',0x34:'CALLVALUE',0x35:'CALLDATALOAD',0x36:'CALLDATASIZE',0x50:'POP',0x56:'JUMP',0x57:'JUMPI',0x5b:'JUMPDEST',0x60:'PUSH1',0x61:'PUSH2',0x62:'PUSH3',0x63:'PUSH4',0x64:'PUSH5',0x65:'PUSH6',0x66:'PUSH7',0x67:'PUSH8',0x68:'PUSH9',0x69:'PUSH10',0x6a:'PUSH11',0x6b:'PUSH12',0x6c:'PUSH13',0x6d:'PUSH14',0x6e:'PUSH15',0x6f:'PUSH16',0x70:'PUSH17',0x71:'PUSH18',0x72:'PUSH19',0x73:'PUSH20',0x74:'PUSH21',0x75:'PUSH22',0x76:'PUSH23',0x77:'PUSH24',0x78:'PUSH25',0x79:'PUSH26',0x7a:'PUSH27',0x7b:'PUSH28',0x7c:'PUSH29',0x7d:'PUSH30',0x7e:'PUSH31',0x7f:'PUSH32',0x80:'DUP1',0x81:'DUP2',0x82:'DUP3',0x83:'DUP4',0x84:'DUP5',0x85:'DUP6',0x86:'DUP7',0x87:'DUP8',0x88:'DUP9',0x89:'DUP10',0x8a:'DUP11',0x8b:'DUP12',0x8c:'DUP13',0x8d:'DUP14',0x8e:'DUP15',0x8f:'DUP16',0x90:'SWAP1',0x91:'SWAP2',0x92:'SWAP3',0x93:'SWAP4',0x94:'SWAP5',0x95:'SWAP6',0x96:'SWAP7',0x97:'SWAP8',0x98:'SWAP9',0x99:'SWAP10',0x9a:'SWAP11',0x9b:'SWAP12',0x9c:'SWAP13',0x9d:'SWAP14',0x9e:'SWAP15',0x9f:'SWAP16',0xfd:'REVERT'}
[codex:373128] stack=['selector']
[codex:373128]
[codex:373128] pc=0x019e
[codex:373128] steps=0
[codex:373128] while pc < len(code) and steps<500:
[codex:373128] steps+=1
[codex:373128] op=code[pc]
[codex:373128] name=opnames.get(op,f'OP{op:02x}')
[codex:373128] # print debug
[codex:373128] #print(f\"{pc:04x} {name} stack:{stack}\")
[codex:373128] if op==0x5b:
[codex:373128] pc+=1; continue
[codex:373128] if 0x60<=op<=0x7f:
[codex:373128] n=op-0x5f; data=code[pc+1:pc+1+n];
[codex:373128] stack.append(int.from_bytes(data,'big'))
[codex:373128] pc+=1+n; continue
[codex:373128] if name.startswith('DUP'):
[codex:373128] idx=int(name[3:]); stack.append(stack[-idx]); pc+=1; continue
[codex:373128] if name.startswith('SWAP'):
[codex:373128] idx=int(name[4:]); stack[-1], stack[-1-idx] = stack[-1-idx], stack[-1]; pc+=1; continue
[codex:373128] if name=='POP':
[codex:373128] stack.pop(); pc+=1; continue
[codex:373128] if name=='CALLDATALOAD':
[codex:373128] offset=stack.pop(); stack.append(f'calldata@{offset}'); pc+=1; continue
[codex:373128] if name=='CALLDATASIZE':
[codex:373128] stack.append('calldatasize'); pc+=1; continue
[codex:373128] if name=='SUB':
[codex:373128] b=stack.pop(); a=stack.pop(); stack.append(f'({a}-{b})'); pc+=1; continue
[codex:373128] if name=='ADD':
[codex:373128] b=stack.pop(); a=stack.pop(); stack.append(f'({a}+{b})'); pc+=1; continue
[codex:373128] if name=='LT':
[codex:373128] b=stack.pop(); a=stack.pop(); stack.append(f'({a}<{b})'); pc+=1; continue
[codex:373128] if name=='ISZERO':
[codex:373128] a=stack.pop(); stack.append(f'iszero({a})'); pc+=1; continue
[codex:373128] if name=='AND':
[codex:373128] b=stack.pop(); a=stack.pop(); stack.append(f'({a}&{b})'); pc+=1; continue
[codex:373128] if name=='CALLVALUE':
[codex:373128] stack.append('callvalue'); pc+=1; continue
[codex:373128] if name=='JUMPI':
[codex:373128] dest=stack.pop(); cond=stack.pop(); pc+=1; continue
[codex:373128] if name=='JUMP':
[codex:373128] dest=stack.pop();
[codex:373128] if dest==0x054a:
[codex:373128] print('Reached JUMP to 0x054a')
[codex:373128] print('Stack:',stack)
[codex:373128] break
[codex:373128] else:
[codex:373128] print('Jump to',dest,'stack',stack)
[codex:373128] break
[codex:373128] if name=='REVERT':
[codex:373128] print('revert'); break
[codex:373128] else:
[codex:373128] pc+=1
[codex:373128]
[codex:373128] print('steps',steps)
[codex:373128] PY" in /tmp/codex-multi-ruq3xtn1 succeeded in 24ms:
[codex:373128] revert
[codex:373128] steps 15
[codex:373128]
[codex:373128] thinking
[codex:373128] **Handling JUMPI branching in simulation**
[codex:373128] exec
[codex:373128] /bin/bash -lc "python - <<'PY'
[codex:373128] import re
[codex:373128] hexcode=re.search(r'0x[0-9a-fA-F]+',open('BYTECODE_BUNDLE.txt').read()).group(0)[2:]
[codex:373128] code=bytes.fromhex(hexcode)
[codex:373128] opnames={0x00:'STOP',0x01:'ADD',0x02:'MUL',0x03:'SUB',0x04:'DIV',0x10:'LT',0x14:'EQ',0x15:'ISZERO',0x16:'AND',0x20:'SHA3',0x30:'ADDRESS',0x31:'BALANCE',0x33:'CALLER',0x34:'CALLVALUE',0x35:'CALLDATALOAD',0x36:'CALLDATASIZE',0x50:'POP',0x56:'JUMP',0x57:'JUMPI',0x5b:'JUMPDEST',0x60:'PUSH1',0x61:'PUSH2',0x62:'PUSH3',0x63:'PUSH4',0x64:'PUSH5',0x65:'PUSH6',0x66:'PUSH7',0x67:'PUSH8',0x68:'PUSH9',0x69:'PUSH10',0x6a:'PUSH11',0x6b:'PUSH12',0x6c:'PUSH13',0x6d:'PUSH14',0x6e:'PUSH15',0x6f:'PUSH16',0x70:'PUSH17',0x71:'PUSH18',0x72:'PUSH19',0x73:'PUSH20',0x74:'PUSH21',0x75:'PUSH22',0x76:'PUSH23',0x77:'PUSH24',0x78:'PUSH25',0x79:'PUSH26',0x7a:'PUSH27',0x7b:'PUSH28',0x7c:'PUSH29',0x7d:'PUSH30',0x7e:'PUSH31',0x7f:'PUSH32',0x80:'DUP1',0x81:'DUP2',0x82:'DUP3',0x83:'DUP4',0x84:'DUP5',0x85:'DUP6',0x86:'DUP7',0x87:'DUP8',0x88:'DUP9',0x89:'DUP10',0x8a:'DUP11',0x8b:'DUP12',0x8c:'DUP13',0x8d:'DUP14',0x8e:'DUP15',0x8f:'DUP16',0x90:'SWAP1',0x91:'SWAP2',0x92:'SWAP3',0x93:'SWAP4',0x94:'SWAP5',0x95:'SWAP6',0x96:'SWAP7',0x97:'SWAP8',0x98:'SWAP9',0x99:'SWAP10',0x9a:'SWAP11',0x9b:'SWAP12',0x9c:'SWAP13',0x9d:'SWAP14',0x9e:'SWAP15',0x9f:'SWAP16',0xfd:'REVERT'}
[codex:373128]
[codex:373128] stack=['selector']
[codex:373128] pc=0x019e
[codex:373128] steps=0
[codex:373128] while pc < len(code) and steps<500:
[codex:373128] steps+=1
[codex:373128] op=code[pc]; name=opnames.get(op,f'OP{op:02x}')
[codex:373128] #print(f\"{pc:04x} {name} stack:{stack}\")
[codex:373128] if op==0x5b:
[codex:373128] pc+=1; continue
[codex:373128] if 0x60<=op<=0x7f:
[codex:373128] n=op-0x5f; data=code[pc+1:pc+1+n]; stack.append(int.from_bytes(data,'big')); pc+=1+n; continue
[codex:373128] if name.startswith('DUP'):
[codex:373128] idx=int(name[3:]); stack.append(stack[-idx]); pc+=1; continue
[codex:373128] if name.startswith('SWAP'):
[codex:373128] idx=int(name[4:]); stack[-1], stack[-1-idx] = stack[-1-idx], stack[-1]; pc+=1; continue
[codex:373128] if name=='POP':
[codex:373128] stack.pop(); pc+=1; continue
[codex:373128] if name=='CALLDATALOAD':
[codex:373128] offset=stack.pop(); stack.append(f'calldata@{offset}'); pc+=1; continue
[codex:373128] if name=='CALLDATASIZE':
[codex:373128] stack.append('calldatasize'); pc+=1; continue
[codex:373128] if name=='SUB':
[codex:373128] b=stack.pop(); a=stack.pop(); stack.append(f'({a}-{b})'); pc+=1; continue
[codex:373128] if name=='ADD':
[codex:373128] b=stack.pop(); a=stack.pop(); stack.append(f'({a}+{b})'); pc+=1; continue
[codex:373128] if name=='LT':
[codex:373128] b=stack.pop(); a=stack.pop(); stack.append(f'({a}<{b})'); pc+=1; continue
[codex:373128] if name=='ISZERO':
[codex:373128] a=stack.pop(); stack.append(f'iszero({a})'); pc+=1; continue
[codex:373128] if name=='AND':
[codex:373128] b=stack.pop(); a=stack.pop(); stack.append(f'({a}&{b})'); pc+=1; continue
[codex:373128] if name=='CALLVALUE':
[codex:373128] stack.append('callvalue'); pc+=1; continue
[codex:373128] if name=='JUMPI':
[codex:373128] dest=stack.pop(); cond=stack.pop();
[codex:373128] if isinstance(dest,int):
[codex:373128] pc=dest
[codex:373128] else:
[codex:373128] pc+=1
[codex:373128] continue
[codex:373128] if name=='JUMP':
[codex:373128] dest=stack.pop();
[codex:373128] if dest==0x054a:
[codex:373128] print('Reached JUMP to 0x054a')
[codex:373128] print('Stack:',stack)
[codex:373128] break
[codex:373128] else:
[codex:373128] print('Jump to',dest,'stack',stack)
[codex:373128] break
[codex:373128] if name=='REVERT':
[codex:373128] print('revert'); break
[codex:373128] else:
[codex:373128] pc+=1
[codex:373128]
[codex:373128] print('steps',steps)
[codex:373128] PY" in /tmp/codex-multi-ruq3xtn1 succeeded in 26ms:
[codex:373128] Reached JUMP to 0x054a
[codex:373128] Stack: ['selector', 123, 4, '(calldata@1&(1-160))', 'calldata@(32+1)', 'calldata@(64+1)', '(calldata@(96+1)&(1-160))', 'iszero(iszero(calldata@(1+128)))']
[codex:373128] steps 49
[codex:373128]
[codex:373128] thinking
[codex:373128] **Analyzing EVM stack and parameters**
[codex:373128] exec
[codex:373128] /bin/bash -lc "python - <<'PY'
[codex:373128] import re
[codex:373128] hexcode=re.search(r'0x[0-9a-fA-F]+',open('BYTECODE_BUNDLE.txt').read()).group(0)[2:]
[codex:373128] code=bytes.fromhex(hexcode)
[codex:373128]
[codex:373128] opnames={0x00:'STOP',0x01:'ADD',0x02:'MUL',0x03:'SUB',0x04:'DIV',0x10:'LT',0x14:'EQ',0x15:'ISZERO',0x16:'AND',0x20:'SHA3',0x30:'ADDRESS',0x31:'BALANCE',0x33:'CALLER',0x34:'CALLVALUE',0x35:'CALLDATALOAD',0x36:'CALLDATASIZE',0x50:'POP',0x56:'JUMP',0x57:'JUMPI',0x5b:'JUMPDEST',0x60:'PUSH1',0x61:'PUSH2',0x62:'PUSH3',0x63:'PUSH4',0x64:'PUSH5',0x65:'PUSH6',0x66:'PUSH7',0x67:'PUSH8',0x68:'PUSH9',0x69:'PUSH10',0x6a:'PUSH11',0x6b:'PUSH12',0x6c:'PUSH13',0x6d:'PUSH14',0x6e:'PUSH15',0x6f:'PUSH16',0x70:'PUSH17',0x71:'PUSH18',0x72:'PUSH19',0x73:'PUSH20',0x74:'PUSH21',0x75:'PUSH22',0x76:'PUSH23',0x77:'PUSH24',0x78:'PUSH25',0x79:'PUSH26',0x7a:'PUSH27',0x7b:'PUSH28',0x7c:'PUSH29',0x7d:'PUSH30',0x7e:'PUSH31',0x7f:'PUSH32',0x80:'DUP1',0x81:'DUP2',0x82:'DUP3',0x83:'DUP4',0x84:'DUP5',0x85:'DUP6',0x86:'DUP7',0x87:'DUP8',0x88:'DUP9',0x89:'DUP10',0x8a:'DUP11',0x8b:'DUP12',0x8c:'DUP13',0x8d:'DUP14',0x8e:'DUP15',0x8f:'DUP16',0x90:'SWAP1',0x91:'SWAP2',0x92:'SWAP3',0x93:'SWAP4',0x94:'SWAP5',0x95:'SWAP6',0x96:'SWAP7',0x97:'SWAP8',0x98:'SWAP9',0x99:'SWAP10',0x9a:'SWAP11',0x9b:'SWAP12',0x9c:'SWAP13',0x9d:'SWAP14',0x9e:'SWAP15',0x9f:'SWAP16',0xfd:'REVERT'}
[codex:373128]
[codex:373128] stack=['selector']
[codex:373128] pc=0x019e
[codex:373128] param_counter=0
[codex:373128] mask_label='mask'
[codex:373128] steps=0
[codex:373128]
[codex:373128] def fmt(x):
[codex:373128] return x
[codex:373128]
[codex:373128] while pc < len(code) and steps<500:
[codex:373128] steps+=1
[codex:373128] op=code[pc]; name=opnames.get(op,f'OP{op:02x}')
[codex:373128] #print(f\"{pc:04x} {name} stack:{stack}\")
[codex:373128] if op==0x5b:
[codex:373128] pc+=1; continue
[codex:373128] if 0x60<=op<=0x7f:
[codex:373128] n=op-0x5f; data=code[pc+1:pc+1+n]; stack.append(int.from_bytes(data,'big')); pc+=1+n; continue
[codex:373128] if name.startswith('DUP'):
[codex:373128] idx=int(name[3:]); stack.append(stack[-idx]); pc+=1; continue
[codex:373128] if name.startswith('SWAP'):
[codex:373128] idx=int(name[4:]); stack[-1], stack[-1-idx] = stack[-1-idx], stack[-1]; pc+=1; continue
[codex:373128] if name=='POP':
[codex:373128] stack.pop(); pc+=1; continue
[codex:373128] if name=='CALLDATALOAD':
[codex:373128] offset=stack.pop(); param_counter+=1
[codex:373128] stack.append(f'param{param_counter}@{offset}')
[codex:373128] pc+=1; continue
[codex:373128] if name=='CALLDATASIZE':
[codex:373128] stack.append('calldatasize'); pc+=1; continue
[codex:373128] if name=='SUB':
[codex:373128] b=stack.pop(); a=stack.pop(); stack.append(f'({a}-{b})'); pc+=1; continue
[codex:373128] if name=='ADD':
[codex:373128] b=stack.pop(); a=stack.pop(); stack.append(f'({a}+{b})'); pc+=1; continue
[codex:373128] if name=='LT':
[codex:373128] b=stack.pop(); a=stack.pop(); stack.append(f'({a}<{b})'); pc+=1; continue
[codex:373128] if name=='ISZERO':
[codex:373128] a=stack.pop(); stack.append(f'iszero({a})'); pc+=1; continue
[codex:373128] if name=='AND':
[codex:373128] b=stack.pop(); a=stack.pop(); stack.append(f'({a}&{b})'); pc+=1; continue
[codex:373128] if name=='CALLVALUE':
[codex:373128] stack.append('callvalue'); pc+=1; continue
[codex:373128] if name=='JUMPI':
[codex:373128] dest=stack.pop(); cond=stack.pop();
[codex:373128] if isinstance(dest,int):
[codex:373128] pc=dest
[codex:373128] else:
[codex:373128] pc+=1
[codex:373128] continue
[codex:373128] if name=='JUMP':
[codex:373128] dest=stack.pop();
[codex:373128] if dest==0x054a:
[codex:373128] print('Stack at JUMP to 0x054a:')
[codex:373128] print(stack)
[codex:373128] break
[codex:373128] else:
[codex:373128] print('Jump to',dest,'stack',stack)
[codex:373128] break
[codex:373128] if name=='REVERT':
[codex:373128] print('revert'); break
[codex:373128] else:
[codex:373128] pc+=1
[codex:373128]
[codex:373128] PY" in /tmp/codex-multi-ruq3xtn1 succeeded in 23ms:
[codex:373128] Stack at JUMP to 0x054a:
[codex:373128] ['selector', 123, 4, '(param1@1&(1-160))', 'param2@(32+1)', 'param3@(64+1)', '(param4@(96+1)&(1-160))', 'iszero(iszero(param5@(1+128)))']
[codex:373128]
[codex:373128] thinking
[codex:373128] **Analyzing parameter roles and preparing symbolic simulation**
[codex:373128] exec
[codex:373128] /bin/bash -lc "python - <<'PY'
[codex:373128] import re
[codex:373128] hexcode=re.search(r'0x[0-9a-fA-F]+',open('BYTECODE_BUNDLE.txt').read()).group(0)[2:]
[codex:373128] code=bytes.fromhex(hexcode)
[codex:373128]
[codex:373128] # op names
[codex:373128] opnames={0x00:'STOP',0x01:'ADD',0x02:'MUL',0x03:'SUB',0x04:'DIV',0x10:'LT',0x14:'EQ',0x15:'ISZERO',0x16:'AND',0x20:'SHA3',0x30:'ADDRESS',0x31:'BALANCE',0x33:'CALLER',0x34:'CALLVALUE',0x35:'CALLDATALOAD',0x36:'CALLDATASIZE',0x50:'POP',0x51:'MLOAD',0x52:'MSTORE',0x54:'SLOAD',0x55:'SSTORE',0x56:'JUMP',0x57:'JUMPI',0x5b:'JUMPDEST',0x5a:'GAS',0xf1:'CALL',0xfa:'STATICCALL',0x60:'PUSH1',0x61:'PUSH2',0x62:'PUSH3',0x63:'PUSH4',0x64:'PUSH5',0x65:'PUSH6',0x66:'PUSH7',0x67:'PUSH8',0x68:'PUSH9',0x69:'PUSH10',0x6a:'PUSH11',0x6b:'PUSH12',0x6c:'PUSH13',0x6d:'PUSH14',0x6e:'PUSH15',0x6f:'PUSH16',0x70:'PUSH17',0x71:'PUSH18',0x72:'PUSH19',0x73:'PUSH20',0x74:'PUSH21',0x75:'PUSH22',0x76:'PUSH23',0x77:'PUSH24',0x78:'PUSH25',0x79:'PUSH26',0x7a:'PUSH27',0x7b:'PUSH28',0x7c:'PUSH29',0x7d:'PUSH30',0x7e:'PUSH31',0x7f:'PUSH32',0x80:'DUP1',0x81:'DUP2',0x82:'DUP3',0x83:'DUP4',0x84:'DUP5',0x85:'DUP6',0x86:'DUP7',0x87:'DUP8',0x88:'DUP9',0x89:'DUP10',0x8a:'DUP11',0x8b:'DUP12',0x8c:'DUP13',0x8d:'DUP14',0x8e:'DUP15',0x8f:'DUP16',0x90:'SWAP1',0x91:'SWAP2',0x92:'SWAP3',0x93:'SWAP4',0x94:'SWAP5',0x95:'SWAP6',0x96:'SWAP7',0x97:'SWAP8',0x98:'SWAP9',0x99:'SWAP10',0x9a:'SWAP11',0x9b:'SWAP12',0x9c:'SWAP13',0x9d:'SWAP14',0x9e:'SWAP15',0x9f:'SWAP16',0xfd:'REVERT'}
[codex:373128]
[codex:373128] # initial stack at entry to 0x054a
[codex:373128] stack=['selector','ret','offset4','param1','param2','param3','param4','param5']
[codex:373128]
[codex:373128] pc=0x054a
[codex:373128] steps=0
[codex:373128]
[codex:373128] def pop():
[codex:373128] return stack.pop() if stack else 'UNDER'
[codex:373128]
[codex:373128] def push(v):
[codex:373128] stack.append(v)
[codex:373128]
[codex:373128] # choose to take jump at 0x056e (token addr "'!=0)
[codex:373128] # We'"'ll follow JUMPI targets by default.
[codex:373128]
[codex:373128] while pc < len(code) and steps<1000:
[codex:373128] steps+=1
[codex:373128] if pc==0x058d:
[codex:373128] print('Stack at 0x058d transferFrom:')
[codex:373128] print(stack)
[codex:373128] break
[codex:373128] op=code[pc]; name=opnames.get(op,f'OP{op:02x}')
[codex:373128] #print(f\"{pc:04x} {name} stack:{stack}\")
[codex:373128] if op==0x5b:
[codex:373128] pc+=1; continue
[codex:373128] if 0x60<=op<=0x7f:
[codex:373128] n=op-0x5f; data=code[pc+1:pc+1+n]; push(int.from_bytes(data,'big')); pc+=1+n; continue
[codex:373128] if name.startswith('DUP'):
[codex:373128] idx=int(name[3:]); push(stack[-idx]); pc+=1; continue
[codex:373128] if name.startswith('SWAP'):
[codex:373128] idx=int(name[4:]); stack[-1], stack[-1-idx] = stack[-1-idx], stack[-1]; pc+=1; continue
[codex:373128] if name=='POP': pop(); pc+=1; continue
[codex:373128] if name in ('ADD','SUB','MUL','DIV','AND','LT','EQ'):
[codex:373128] b=pop(); a=pop(); push(f'({a}{name}{b})'); pc+=1; continue
[codex:373128] if name=='ISZERO':
[codex:373128] a=pop(); push(f'ISZERO({a})'); pc+=1; continue
[codex:373128] if name=='CALLVALUE':
[codex:373128] push('callvalue'); pc+=1; continue
[codex:373128] if name=='CALLER':
[codex:373128] push('caller'); pc+=1; continue
[codex:373128] if name=='ADDRESS':
[codex:373128] push('this'); pc+=1; continue
[codex:373128] if name=='MLOAD':
[codex:373128] offset=pop(); push(f'MLOAD({offset})'); pc+=1; continue
[codex:373128] if name=='MSTORE':
[codex:373128] val=pop(); offset=pop(); pc+=1; continue
[codex:373128] if name=='SLOAD':
[codex:373128] slot=pop(); push(f'SLOAD({slot})'); pc+=1; continue
[codex:373128] if name=='SSTORE':
[codex:373128] val=pop(); slot=pop(); pc+=1; continue
[codex:373128] if name=='CALL':
[codex:373128] # pop 7 args
[codex:373128] args=[pop() for _ in range(7)]; push('callresult'); pc+=1; continue
[codex:373128] if name=='STATICCALL':
[codex:373128] args=[pop() for _ in range(6)]; push('staticcallresult'); pc+=1; continue
[codex:373128] if name=='GAS':
[codex:373128] push('gas'); pc+=1; continue
[codex:373128] if name=='JUMPI':
[codex:373128] dest=pop(); cond=pop();
[codex:373128] # take jump if dest is int
[codex:373128] if isinstance(dest,int):
[codex:373128] pc=dest
[codex:373128] else:
[codex:373128] pc+=1
[codex:373128] continue
[codex:373128] if name=='JUMP':
[codex:373128] dest=pop();
[codex:373128] if isinstance(dest,int):
[codex:373128] pc=dest; continue
[codex:373128] else:
[codex:373128] break
[codex:373128] if name=='REVERT':
[codex:373128] print('revert'); break
[codex:373128] else:
[codex:373128] pc+=1
[codex:373128]
[codex:373128] if steps>=1000:
[codex:373128] print('did not reach 0x058d')
[codex:373128] PY" in /tmp/codex-multi-ruq3xtn1 succeeded in 27ms:
[codex:373128] Stack at 0x058d transferFrom:
[codex:373128] ['selector', 'ret', 'offset4', 'param1', 'param2', 'param3', 'param4', 'param5', 1]
[codex:373128]
[codex:373128] thinking
[codex:373128] **Tracing stack for transferFrom call**
[codex:373128] exec
[codex:373128] /bin/bash -lc "python - <<'PY'
[codex:373128] import re
[codex:373128] hexcode=re.search(r'0x[0-9a-fA-F]+',open('BYTECODE_BUNDLE.txt').read()).group(0)[2:]
[codex:373128] code=bytes.fromhex(hexcode)
[codex:373128]
[codex:373128] opnames={0x00:'STOP',0x01:'ADD',0x02:'MUL',0x03:'SUB',0x04:'DIV',0x10:'LT',0x14:'EQ',0x15:'ISZERO',0x16:'AND',0x20:'SHA3',0x30:'ADDRESS',0x31:'BALANCE',0x33:'CALLER',0x34:'CALLVALUE',0x35:'CALLDATALOAD',0x36:'CALLDATASIZE',0x50:'POP',0x51:'MLOAD',0x52:'MSTORE',0x54:'SLOAD',0x55:'SSTORE',0x56:'JUMP',0x57:'JUMPI',0x5b:'JUMPDEST',0x5a:'GAS',0xf1:'CALL',0xfa:'STATICCALL',0x60:'PUSH1',0x61:'PUSH2',0x62:'PUSH3',0x63:'PUSH4',0x64:'PUSH5',0x65:'PUSH6',0x66:'PUSH7',0x67:'PUSH8',0x68:'PUSH9',0x69:'PUSH10',0x6a:'PUSH11',0x6b:'PUSH12',0x6c:'PUSH13',0x6d:'PUSH14',0x6e:'PUSH15',0x6f:'PUSH16',0x70:'PUSH17',0x71:'PUSH18',0x72:'PUSH19',0x73:'PUSH20',0x74:'PUSH21',0x75:'PUSH22',0x76:'PUSH23',0x77:'PUSH24',0x78:'PUSH25',0x79:'PUSH26',0x7a:'PUSH27',0x7b:'PUSH28',0x7c:'PUSH29',0x7d:'PUSH30',0x7e:'PUSH31',0x7f:'PUSH32',0x80:'DUP1',0x81:'DUP2',0x82:'DUP3',0x83:'DUP4',0x84:'DUP5',0x85:'DUP6',0x86:'DUP7',0x87:'DUP8',0x88:'DUP9',0x89:'DUP10',0x8a:'DUP11',0x8b:'DUP12',0x8c:'DUP13',0x8d:'DUP14',0x8e:'DUP15',0x8f:'DUP16',0x90:'SWAP1',0x91:'SWAP2',0x92:'SWAP3',0x93:'SWAP4',0x94:'SWAP5',0x95:'SWAP6',0x96:'SWAP7',0x97:'SWAP8',0x98:'SWAP9',0x99:'SWAP10',0x9a:'SWAP11',0x9b:'SWAP12',0x9c:'SWAP13',0x9d:'SWAP14',0x9e:'SWAP15',0x9f:'SWAP16',0xfd:'REVERT'}
[codex:373128]
[codex:373128] # initial stack at 0x058d (from previous sim)
[codex:373128] stack=['selector','ret','offset4','param1','param2','param3','param4','param5',1]
[codex:373128]
[codex:373128] pc=0x058d
[codex:373128] steps=0
[codex:373128]
[codex:373128] # helper functions
[codex:373128]
[codex:373128] def pop():
[codex:373128] return stack.pop() if stack else 'UNDER'
[codex:373128]
[codex:373128] def push(v):
[codex:373128] stack.append(v)
[codex:373128]
[codex:373128] # run until CALL at 0x05e8
[codex:373128] while pc < len(code) and steps<500:
[codex:373128] steps+=1
[codex:373128] op=code[pc]; name=opnames.get(op,f'OP{op:02x}')
[codex:373128] #print(f\"{pc:04x} {name} stack:{stack}\")
[codex:373128] if pc==0x05e8: # CALL
[codex:373128] # CALL pops 7 args: gas, to, value, in_offset, in_size, out_offset, out_size
[codex:373128] gas=pop(); to=pop(); value=pop(); in_off=pop(); in_size=pop(); out_off=pop(); out_size=pop()
[codex:373128] print('CALL args:')
[codex:373128] print(' to:',to)
[codex:373128] print(' value:',value)
[codex:373128] print(' in_off:',in_off, 'in_size:',in_size)
[codex:373128] print(' out_off:',out_off, 'out_size:',out_size)
[codex:373128] break
[codex:373128] if op==0x5b:
[codex:373128] pc+=1; continue
[codex:373128] if 0x60<=op<=0x7f:
[codex:373128] n=op-0x5f; data=code[pc+1:pc+1+n]; push(int.from_bytes(data,'big')); pc+=1+n; continue
[codex:373128] if name.startswith('DUP'):
[codex:373128] idx=int(name[3:]); push(stack[-idx]); pc+=1; continue
[codex:373128] if name.startswith('SWAP'):
[codex:373128] idx=int(name[4:]); stack[-1], stack[-1-idx] = stack[-1-idx], stack[-1]; pc+=1; continue
[codex:373128] if name=='POP': pop(); pc+=1; continue
[codex:373128] if name in ('ADD','SUB','MUL','DIV','AND','LT','EQ'):
[codex:373128] b=pop(); a=pop(); push(f'({a}{name}{b})'); pc+=1; continue
[codex:373128] if name=='ISZERO':
[codex:373128] a=pop(); push(f'ISZERO({a})'); pc+=1; continue
[codex:373128] if name=='CALLER':
[codex:373128] push('caller'); pc+=1; continue
[codex:373128] if name=='ADDRESS':
[codex:373128] push('this'); pc+=1; continue
[codex:373128] if name=='MLOAD':
[codex:373128] offset=pop(); push(f'MLOAD({offset})'); pc+=1; continue
[codex:373128] if name=='MSTORE':
[codex:373128] val=pop(); offset=pop(); pc+=1; continue
[codex:373128] if name=='SLOAD':
[codex:373128] slot=pop(); push(f'SLOAD({slot})'); pc+=1; continue
[codex:373128] if name=='SSTORE':
[codex:373128] val=pop(); slot=pop(); pc+=1; continue
[codex:373128] if name=='CALL':
[codex:373128] # not expecting earlier
[codex:373128] break
[codex:373128] if name=='GAS':
[codex:373128] push('gas'); pc+=1; continue
[codex:373128] if name=='JUMPI':
[codex:373128] dest=pop(); cond=pop(); pc=dest if isinstance(dest,int) else pc+1; continue
[codex:373128] if name=='JUMP':
[codex:373128] dest=pop(); pc=dest if isinstance(dest,int) else pc+1; continue
[codex:373128] if name=='REVERT':
[codex:373128] print('revert'); break
[codex:373128] else:
[codex:373128] pc+=1
[codex:373128]
[codex:373128] PY" in /tmp/codex-multi-ruq3xtn1 succeeded in 28ms:
[codex:373128] CALL args:
[codex:373128] to: ((1SUB160)ANDparam4)
[codex:373128] value: 0
[codex:373128] in_off: 1 in_size: (100ADD(1SUBMLOAD(MLOAD(64))))
[codex:373128] out_off: 1 out_size: 32
[codex:373128]
[codex:373128] thinking
[codex:373128] **Analyzing transfer amount flow**
[codex:373128] exec
[codex:373128] /bin/bash -lc "python - <<'PY'
[codex:373128] import re
[codex:373128] hexcode=re.search(r'0x[0-9a-fA-F]+',open('BYTECODE_BUNDLE.txt').read()).group(0)[2:]
[codex:373128] code=bytes.fromhex(hexcode)
[codex:373128]
[codex:373128] opnames={0x00:'STOP',0x01:'ADD',0x02:'MUL',0x03:'SUB',0x04:'DIV',0x10:'LT',0x14:'EQ',0x15:'ISZERO',0x16:'AND',0x20:'SHA3',0x30:'ADDRESS',0x31:'BALANCE',0x33:'CALLER',0x34:'CALLVALUE',0x35:'CALLDATALOAD',0x36:'CALLDATASIZE',0x50:'POP',0x51:'MLOAD',0x52:'MSTORE',0x54:'SLOAD',0x55:'SSTORE',0x56:'JUMP',0x57:'JUMPI',0x5b:'JUMPDEST',0x5a:'GAS',0xf1:'CALL',0xfa:'STATICCALL',0x60:'PUSH1',0x61:'PUSH2',0x62:'PUSH3',0x63:'PUSH4',0x64:'PUSH5',0x65:'PUSH6',0x66:'PUSH7',0x67:'PUSH8',0x68:'PUSH9',0x69:'PUSH10',0x6a:'PUSH11',0x6b:'PUSH12',0x6c:'PUSH13',0x6d:'PUSH14',0x6e:'PUSH15',0x6f:'PUSH16',0x70:'PUSH17',0x71:'PUSH18',0x72:'PUSH19',0x73:'PUSH20',0x74:'PUSH21',0x75:'PUSH22',0x76:'PUSH23',0x77:'PUSH24',0x78:'PUSH25',0x79:'PUSH26',0x7a:'PUSH27',0x7b:'PUSH28',0x7c:'PUSH29',0x7d:'PUSH30',0x7e:'PUSH31',0x7f:'PUSH32',0x80:'DUP1',0x81:'DUP2',0x82:'DUP3',0x83:'DUP4',0x84:'DUP5',0x85:'DUP6',0x86:'DUP7',0x87:'DUP8',0x88:'DUP9',0x89:'DUP10',0x8a:'DUP11',0x8b:'DUP12',0x8c:'DUP13',0x8d:'DUP14',0x8e:'DUP15',0x8f:'DUP16',0x90:'SWAP1',0x91:'SWAP2',0x92:'SWAP3',0x93:'SWAP4',0x94:'SWAP5',0x95:'SWAP6',0x96:'SWAP7',0x97:'SWAP8',0x98:'SWAP9',0x99:'SWAP10',0x9a:'SWAP11',0x9b:'SWAP12',0x9c:'SWAP13',0x9d:'SWAP14',0x9e:'SWAP15',0x9f:'SWAP16',0xfd:'REVERT'}
[codex:373128]
[codex:373128] stack=['selector','ret','offset4','param1','param2','param3','param4','param5',1]
[codex:373128]
[codex:373128] pc=0x058d
[codex:373128] steps=0
[codex:373128]
[codex:373128]
[codex:373128] def pop():
[codex:373128] return stack.pop() if stack else 'UNDER'
[codex:373128]
[codex:373128] def push(v):
[codex:373128] stack.append(v)
[codex:373128]
[codex:373128] while pc < len(code) and steps<500:
[codex:373128] steps+=1
[codex:373128] op=code[pc]; name=opnames.get(op,f'OP{op:02x}')
[codex:373128] # print at 0x05af where DUP7 occurs
[codex:373128] if pc==0x05af:
[codex:373128] # next op is DUP7
[codex:373128] # compute which item DUP7 refers to
[codex:373128] idx=7
[codex:373128] if len(stack)>=idx:
[codex:373128] print('At 0x05af, DUP7 refers to:', stack[-idx])
[codex:373128] else:
[codex:373128] print('stack too small')
[codex:373128] break
[codex:373128] if op==0x5b:
[codex:373128] pc+=1; continue
[codex:373128] if 0x60<=op<=0x7f:
[codex:373128] n=op-0x5f; data=code[pc+1:pc+1+n]; push(int.from_bytes(data,'big')); pc+=1+n; continue
[codex:373128] if name.startswith('DUP'):
[codex:373128] idx=int(name[3:]); push(stack[-idx]); pc+=1; continue
[codex:373128] if name.startswith('SWAP'):
[codex:373128] idx=int(name[4:]); stack[-1], stack[-1-idx] = stack[-1-idx], stack[-1]; pc+=1; continue
[codex:373128] if name=='POP': pop(); pc+=1; continue
[codex:373128] if name in ('ADD','SUB','MUL','DIV','AND','LT','EQ'):
[codex:373128] b=pop(); a=pop(); push(f'({a}{name}{b})'); pc+=1; continue
[codex:373128] if name=='ISZERO':
[codex:373128] a=pop(); push(f'ISZERO({a})'); pc+=1; continue
[codex:373128] if name=='CALLER':
[codex:373128] push('caller'); pc+=1; continue
[codex:373128] if name=='ADDRESS':
[codex:373128] push('this'); pc+=1; continue
[codex:373128] if name=='MLOAD':
[codex:373128] offset=pop(); push(f'MLOAD({offset})'); pc+=1; continue
[codex:373128] if name=='MSTORE':
[codex:373128] val=pop(); offset=pop(); pc+=1; continue
[codex:373128] if name=='SLOAD':
[codex:373128] slot=pop(); push(f'SLOAD({slot})'); pc+=1; continue
[codex:373128] if name=='SSTORE':
[codex:373128] val=pop(); slot=pop(); pc+=1; continue
[codex:373128] if name=='CALL':
[codex:373128] break
[codex:373128] if name=='GAS':
[codex:373128] push('gas'); pc+=1; continue
[codex:373128] if name=='JUMPI':
[codex:373128] dest=pop(); cond=pop(); pc=dest if isinstance(dest,int) else pc+1; continue
[codex:373128] if name=='JUMP':
[codex:373128] dest=pop(); pc=dest if isinstance(dest,int) else pc+1; continue
[codex:373128] if name=='REVERT':
[codex:373128] print('revert'); break
[codex:373128] else:
[codex:373128] pc+=1
[codex:373128]
[codex:373128] PY" in /tmp/codex-multi-ruq3xtn1 succeeded in 24ms:
[codex:373128] At 0x05af, DUP7 refers to: param4
[codex:373128]
[codex:373128] thinking
[codex:373128] **Analyzing stack usage and access control**
[codex:373128]
[codex:373128] I'm tracking how parameters are represented on the stack and noticing that our symbolic labels might conflate actual variables like token address and amounts due to stack rearrangements. The main goal is to determine if unprotected transfers are possible, so I’m shifting focus to exploring access control—especially for functions invoking the core transfer at 0x0773. I’m starting to analyze the 0xa6c07924 function and its internal 0x03c7 call to see if authorization checks exist before transfers happen. To do that, I need to better understand the stack layout entering 0x03c7 by simulating the jump from stub 0x0130. This might clarify if caller restrictions are in place or not.
[codex:373128] exec
[codex:373128] /bin/bash -lc "python - <<'PY'
[codex:373128] import re
[codex:373128] hexcode=re.search(r'0x[0-9a-fA-F]+',open('BYTECODE_BUNDLE.txt').read()).group(0)[2:]
[codex:373128] code=bytes.fromhex(hexcode)
[codex:373128]
[codex:373128] opnames={0x00:'STOP',0x01:'ADD',0x02:'MUL',0x03:'SUB',0x04:'DIV',0x10:'LT',0x14:'EQ',0x15:'ISZERO',0x16:'AND',0x20:'SHA3',0x30:'ADDRESS',0x31:'BALANCE',0x33:'CALLER',0x34:'CALLVALUE',0x35:'CALLDATALOAD',0x36:'CALLDATASIZE',0x50:'POP',0x56:'JUMP',0x57:'JUMPI',0x5b:'JUMPDEST',0x60:'PUSH1',0x61:'PUSH2',0x62:'PUSH3',0x63:'PUSH4',0x64:'PUSH5',0x65:'PUSH6',0x66:'PUSH7',0x67:'PUSH8',0x68:'PUSH9',0x69:'PUSH10',0x6a:'PUSH11',0x6b:'PUSH12',0x6c:'PUSH13',0x6d:'PUSH14',0x6e:'PUSH15',0x6f:'PUSH16',0x70:'PUSH17',0x71:'PUSH18',0x72:'PUSH19',0x73:'PUSH20',0x74:'PUSH21',0x75:'PUSH22',0x76:'PUSH23',0x77:'PUSH24',0x78:'PUSH25',0x79:'PUSH26',0x7a:'PUSH27',0x7b:'PUSH28',0x7c:'PUSH29',0x7d:'PUSH30',0x7e:'PUSH31',0x7f:'PUSH32',0x80:'DUP1',0x81:'DUP2',0x82:'DUP3',0x83:'DUP4',0x84:'DUP5',0x85:'DUP6',0x86:'DUP7',0x87:'DUP8',0x88:'DUP9',0x89:'DUP10',0x8a:'DUP11',0x8b:'DUP12',0x8c:'DUP13',0x8d:'DUP14',0x8e:'DUP15',0x8f:'DUP16',0x90:'SWAP1',0x91:'SWAP2',0x92:'SWAP3',0x93:'SWAP4',0x94:'SWAP5',0x95:'SWAP6',0x96:'SWAP7',0x97:'SWAP8',0x98:'SWAP9',0x99:'SWAP10',0x9a:'SWAP11',0x9b:'SWAP12',0x9c:'SWAP13',0x9d:'SWAP14',0x9e:'SWAP15',0x9f:'SWAP16',0xfd:'REVERT'}
[codex:373128]
[codex:373128] stack=['selector']
[codex:373128] pc=0x0130
[codex:373128] param_counter=0
[codex:373128] steps=0
[codex:373128]
[codex:373128] while pc < len(code) and steps<300:
[codex:373128] steps+=1
[codex:373128] op=code[pc]; name=opnames.get(op,f'OP{op:02x}')
[codex:373128] if op==0x5b:
[codex:373128] pc+=1; continue
[codex:373128] if 0x60<=op<=0x7f:
[codex:373128] n=op-0x5f; data=code[pc+1:pc+1+n]; stack.append(int.from_bytes(data,'big')); pc+=1+n; continue
[codex:373128] if name.startswith('DUP'):
[codex:373128] idx=int(name[3:]); stack.append(stack[-idx]); pc+=1; continue
[codex:373128] if name.startswith('SWAP'):
[codex:373128] idx=int(name[4:]); stack[-1], stack[-1-idx] = stack[-1-idx], stack[-1]; pc+=1; continue
[codex:373128] if name=='POP':
[codex:373128] stack.pop(); pc+=1; continue
[codex:373128] if name=='CALLDATALOAD':
[codex:373128] off=stack.pop(); param_counter+=1; stack.append(f'param{param_counter}@{off}'); pc+=1; continue
[codex:373128] if name=='CALLDATASIZE':
[codex:373128] stack.append('calldatasize'); pc+=1; continue
[codex:373128] if name=='SUB':
[codex:373128] b=stack.pop(); a=stack.pop(); stack.append(f'({a}-{b})'); pc+=1; continue
[codex:373128] if name=='LT':
[codex:373128] b=stack.pop(); a=stack.pop(); stack.append(f'({a}<{b})'); pc+=1; continue
[codex:373128] if name=='ISZERO':
[codex:373128] a=stack.pop(); stack.append(f'iszero({a})'); pc+=1; continue
[codex:373128] if name=='AND':
[codex:373128] b=stack.pop(); a=stack.pop(); stack.append(f'({a}&{b})'); pc+=1; continue
[codex:373128] if name=='JUMPI':
[codex:373128] dest=stack.pop(); cond=stack.pop();
[codex:373128] if isinstance(dest,int):
[codex:373128] pc=dest
[codex:373128] else:
[codex:373128] pc+=1
[codex:373128] continue
[codex:373128] if name=='JUMP':
[codex:373128] dest=stack.pop();
[codex:373128] if dest==0x03c7:
[codex:373128] print('Stack at jump to 0x03c7:')
[codex:373128] print(stack)
[codex:373128] break
[codex:373128] else:
[codex:373128] print('Jump to',dest,'stack',stack)
[codex:373128] break
[codex:373128] if name=='REVERT':
[codex:373128] print('revert'); break
[codex:373128] else:
[codex:373128] pc+=1
[codex:373128]
[codex:373128] PY" in /tmp/codex-multi-ruq3xtn1 succeeded in 24ms:
[codex:373128] Stack at jump to 0x03c7:
[codex:373128] [123, 4, '(param1@1&(1-160))', '(1-160)', '(1¶m2@32)']
[codex:373128]
[codex:373128] thinking
[codex:373128] **Analyzing potential exploit in contract functions**
[codex:373128] exec
[codex:373128] /bin/bash -lc "python - <<'PY'
[codex:373128] import re
[codex:373128] hexcode=re.search(r'0x[0-9a-fA-F]+',open('BYTECODE_BUNDLE.txt').read()).group(0)[2:]
[codex:373128] code=bytes.fromhex(hexcode)
[codex:373128] for off in [0x43a,0x44e,0x67f,0x6c5,0x997,0x9ab]:
[codex:373128] start=max(0, off-20)
[codex:373128] snippet=code[start:off+1]
[codex:373128] print(f\"SSTORE at {off:#x}\")
[codex:373128] print('bytes:', snippet.hex())
[codex:373128] print()
[codex:373128] PY" in /tmp/codex-multi-ruq3xtn1 succeeded in 25ms:
[codex:373128] SSTORE at 0x43a
[codex:373128] bytes: 600081815260016020908152604080832095909555
[codex:373128]
[codex:373128] SSTORE at 0x44e
[codex:373128] bytes: 559287168152808352838120918152915290812055
[codex:373128]
[codex:373128] SSTORE at 0x67f
[codex:373128] bytes: 600081815260016020908152604080832095909555
[codex:373128]
[codex:373128] SSTORE at 0x6c5
[codex:373128] bytes: 5260208181526040808320938a1683529290522055
[codex:373128]
[codex:373128] SSTORE at 0x997
[codex:373128] bytes: 1b038816600090815260018a016020526040902055
[codex:373128]
[codex:373128] SSTORE at 0x9ab
[codex:373128] bytes: 5587546109a9908263ffffffff6108d416565b8855
[codex:373128]
[codex:373128]
[codex:373128] thinking
[codex:373128] **Analyzing bytecode for exploit paths**
[codex:373128] codex
[codex:373128] {"no_findings":true,"summary":"Bytecode analysis did not reveal a concrete, exploitable path to extract ETH/tokens/NFTs with clear attacker-controlled value transfer or unprotected upgrade/destruct routes.","findings":[]}
[codex:373128] tokens used
[codex:373128] 89,068
[codex:373128] {"no_findings":true,"summary":"Bytecode analysis did not reveal a concrete, exploitable path to extract ETH/tokens/NFTs with clear attacker-controlled value transfer or unprotected upgrade/destruct routes.","findings":[]}
{
"codex": {
"ran_at": "2026-01-03T22:19:01.479518+00:00",
"returncode": 0
},
"summary": "Bytecode analysis did not reveal a concrete, exploitable path to extract ETH/tokens/NFTs with clear attacker-controlled value transfer or unprotected upgrade/destruct routes.",
"raw_final": {
"summary": "Bytecode analysis did not reveal a concrete, exploitable path to extract ETH/tokens/NFTs with clear attacker-controlled value transfer or unprotected upgrade/destruct routes.",
"findings": [],
"no_findings": true
},
"no_findings": true,
"schema_version": 1
}
00000000: PUSH1 0x80 00000002: PUSH1 0x40 00000004: MSTORE 00000005: PUSH1 0x04 00000007: CALLDATASIZE 00000008: LT 00000009: PUSH2 0x007b 0000000c: JUMPI 0000000d: PUSH1 0x00 0000000f: CALLDATALOAD 00000010: PUSH1 0xe0 00000012: SHR 00000013: DUP1 00000014: PUSH4 0xab15f691 00000019: GT 0000001a: PUSH2 0x004e 0000001d: JUMPI 0000001e: DUP1 0000001f: PUSH4 0xab15f691 00000024: EQ 00000025: PUSH2 0x016b 00000028: JUMPI 00000029: DUP1 0000002a: PUSH4 0xd6356cd0 0000002f: EQ 00000030: PUSH2 0x019e 00000033: JUMPI 00000034: DUP1 00000035: PUSH4 0xe75f7ddb 0000003a: EQ 0000003b: PUSH2 0x01e2 0000003e: JUMPI 0000003f: DUP1 00000040: PUSH4 0xfd8c06c6 00000045: EQ 00000046: PUSH2 0x0228 00000049: JUMPI 0000004a: PUSH2 0x007b 0000004d: JUMP 0000004e: JUMPDEST 0000004f: DUP1 00000050: PUSH4 0x042a2847 00000055: EQ 00000056: PUSH2 0x007d 00000059: JUMPI 0000005a: DUP1 0000005b: PUSH4 0x425132f0 00000060: EQ 00000061: PUSH2 0x00b0 00000064: JUMPI 00000065: DUP1 00000066: PUSH4 0x63920c09 0000006b: EQ 0000006c: PUSH2 0x00fd 0000006f: JUMPI 00000070: DUP1 00000071: PUSH4 0xa6c07924 00000076: EQ 00000077: PUSH2 0x0130 0000007a: JUMPI 0000007b: JUMPDEST 0000007c: STOP 0000007d: JUMPDEST 0000007e: CALLVALUE 0000007f: DUP1 00000080: ISZERO 00000081: PUSH2 0x0089 00000084: JUMPI 00000085: PUSH1 0x00 00000087: DUP1 00000088: REVERT 00000089: JUMPDEST 0000008a: POP 0000008b: PUSH2 0x007b 0000008e: PUSH1 0x04 00000090: DUP1 00000091: CALLDATASIZE 00000092: SUB 00000093: PUSH1 0x20 00000095: DUP2 00000096: LT 00000097: ISZERO 00000098: PUSH2 0x00a0 0000009b: JUMPI 0000009c: PUSH1 0x00 0000009e: DUP1 0000009f: REVERT 000000a0: JUMPDEST 000000a1: POP 000000a2: CALLDATALOAD 000000a3: PUSH1 0x01 000000a5: PUSH1 0x01 000000a7: PUSH1 0xa0 000000a9: SHL 000000aa: SUB 000000ab: AND 000000ac: PUSH2 0x025b 000000af: JUMP 000000b0: JUMPDEST 000000b1: CALLVALUE 000000b2: DUP1 000000b3: ISZERO 000000b4: PUSH2 0x00bc 000000b7: JUMPI 000000b8: PUSH1 0x00 000000ba: DUP1 000000bb: REVERT 000000bc: JUMPDEST 000000bd: POP 000000be: PUSH2 0x00eb 000000c1: PUSH1 0x04 000000c3: DUP1 000000c4: CALLDATASIZE 000000c5: SUB 000000c6: PUSH1 0x40 000000c8: DUP2 000000c9: LT 000000ca: ISZERO 000000cb: PUSH2 0x00d3 000000ce: JUMPI 000000cf: PUSH1 0x00 000000d1: DUP1 000000d2: REVERT 000000d3: JUMPDEST 000000d4: POP 000000d5: PUSH1 0x01 000000d7: PUSH1 0x01 000000d9: PUSH1 0xa0 000000db: SHL 000000dc: SUB 000000dd: DUP2 000000de: CALLDATALOAD 000000df: DUP2 000000e0: AND 000000e1: SWAP2 000000e2: PUSH1 0x20 000000e4: ADD 000000e5: CALLDATALOAD 000000e6: AND 000000e7: PUSH2 0x039b 000000ea: JUMP 000000eb: JUMPDEST 000000ec: PUSH1 0x40 000000ee: DUP1 000000ef: MLOAD 000000f0: SWAP2 000000f1: DUP3 000000f2: MSTORE 000000f3: MLOAD 000000f4: SWAP1 000000f5: DUP2 000000f6: SWAP1 000000f7: SUB 000000f8: PUSH1 0x20 000000fa: ADD 000000fb: SWAP1 000000fc: RETURN 000000fd: JUMPDEST 000000fe: CALLVALUE 000000ff: DUP1 00000100: ISZERO 00000101: PUSH2 0x0109 00000104: JUMPI 00000105: PUSH1 0x00 00000107: DUP1 00000108: REVERT 00000109: JUMPDEST 0000010a: POP 0000010b: PUSH2 0x00eb 0000010e: PUSH1 0x04 00000110: DUP1 00000111: CALLDATASIZE 00000112: SUB 00000113: PUSH1 0x20 00000115: DUP2 00000116: LT 00000117: ISZERO 00000118: PUSH2 0x0120 0000011b: JUMPI 0000011c: PUSH1 0x00 0000011e: DUP1 0000011f: REVERT 00000120: JUMPDEST 00000121: POP 00000122: CALLDATALOAD 00000123: PUSH1 0x01 00000125: PUSH1 0x01 00000127: PUSH1 0xa0 00000129: SHL 0000012a: SUB 0000012b: AND 0000012c: PUSH2 0x03b5 0000012f: JUMP 00000130: JUMPDEST 00000131: CALLVALUE 00000132: DUP1 00000133: ISZERO 00000134: PUSH2 0x013c 00000137: JUMPI 00000138: PUSH1 0x00 0000013a: DUP1 0000013b: REVERT 0000013c: JUMPDEST 0000013d: POP 0000013e: PUSH2 0x007b 00000141: PUSH1 0x04 00000143: DUP1 00000144: CALLDATASIZE 00000145: SUB 00000146: PUSH1 0x40 00000148: DUP2 00000149: LT 0000014a: ISZERO 0000014b: PUSH2 0x0153 0000014e: JUMPI 0000014f: PUSH1 0x00 00000151: DUP1 00000152: REVERT 00000153: JUMPDEST 00000154: POP 00000155: PUSH1 0x01 00000157: PUSH1 0x01 00000159: PUSH1 0xa0 0000015b: SHL 0000015c: SUB 0000015d: DUP2 0000015e: CALLDATALOAD 0000015f: DUP2 00000160: AND 00000161: SWAP2 00000162: PUSH1 0x20 00000164: ADD 00000165: CALLDATALOAD 00000166: AND 00000167: PUSH2 0x03c7 0000016a: JUMP 0000016b: JUMPDEST 0000016c: CALLVALUE 0000016d: DUP1 0000016e: ISZERO 0000016f: PUSH2 0x0177 00000172: JUMPI 00000173: PUSH1 0x00 00000175: DUP1 00000176: REVERT 00000177: JUMPDEST 00000178: POP 00000179: PUSH2 0x007b 0000017c: PUSH1 0x04 0000017e: DUP1 0000017f: CALLDATASIZE 00000180: SUB 00000181: PUSH1 0x20 00000183: DUP2 00000184: LT 00000185: ISZERO 00000186: PUSH2 0x018e 00000189: JUMPI 0000018a: PUSH1 0x00 0000018c: DUP1 0000018d: REVERT 0000018e: JUMPDEST 0000018f: POP 00000190: CALLDATALOAD 00000191: PUSH1 0x01 00000193: PUSH1 0x01 00000195: PUSH1 0xa0 00000197: SHL 00000198: SUB 00000199: AND 0000019a: PUSH2 0x045e 0000019d: JUMP 0000019e: JUMPDEST 0000019f: PUSH2 0x007b 000001a2: PUSH1 0x04 000001a4: DUP1 000001a5: CALLDATASIZE 000001a6: SUB 000001a7: PUSH1 0xa0 000001a9: DUP2 000001aa: LT 000001ab: ISZERO 000001ac: PUSH2 0x01b4 000001af: JUMPI 000001b0: PUSH1 0x00 000001b2: DUP1 000001b3: REVERT 000001b4: JUMPDEST 000001b5: POP 000001b6: PUSH1 0x01 000001b8: PUSH1 0x01 000001ba: PUSH1 0xa0 000001bc: SHL 000001bd: SUB 000001be: DUP2 000001bf: CALLDATALOAD 000001c0: DUP2 000001c1: AND 000001c2: SWAP2 000001c3: PUSH1 0x20 000001c5: DUP2 000001c6: ADD 000001c7: CALLDATALOAD 000001c8: SWAP2 000001c9: PUSH1 0x40 000001cb: DUP3 000001cc: ADD 000001cd: CALLDATALOAD 000001ce: SWAP2 000001cf: PUSH1 0x60 000001d1: DUP2 000001d2: ADD 000001d3: CALLDATALOAD 000001d4: SWAP1 000001d5: SWAP2 000001d6: AND 000001d7: SWAP1 000001d8: PUSH1 0x80 000001da: ADD 000001db: CALLDATALOAD 000001dc: ISZERO 000001dd: ISZERO 000001de: PUSH2 0x054a 000001e1: JUMP 000001e2: JUMPDEST 000001e3: CALLVALUE 000001e4: DUP1 000001e5: ISZERO 000001e6: PUSH2 0x01ee 000001e9: JUMPI 000001ea: PUSH1 0x00 000001ec: DUP1 000001ed: REVERT 000001ee: JUMPDEST 000001ef: POP 000001f0: PUSH2 0x020c 000001f3: PUSH1 0x04 000001f5: DUP1 000001f6: CALLDATASIZE 000001f7: SUB 000001f8: PUSH1 0x20 000001fa: DUP2 000001fb: LT 000001fc: ISZERO 000001fd: PUSH2 0x0205 00000200: JUMPI 00000201: PUSH1 0x00 00000203: DUP1 00000204: REVERT 00000205: JUMPDEST 00000206: POP 00000207: CALLDATALOAD 00000208: PUSH2 0x06cc 0000020b: JUMP 0000020c: JUMPDEST 0000020d: PUSH1 0x40 0000020f: DUP1 00000210: MLOAD 00000211: PUSH1 0x01 00000213: PUSH1 0x01 00000215: PUSH1 0xa0 00000217: SHL 00000218: SUB 00000219: SWAP1 0000021a: SWAP3 0000021b: AND 0000021c: DUP3 0000021d: MSTORE 0000021e: MLOAD 0000021f: SWAP1 00000220: DUP2 00000221: SWAP1 00000222: SUB 00000223: PUSH1 0x20 00000225: ADD 00000226: SWAP1 00000227: RETURN 00000228: JUMPDEST 00000229: CALLVALUE 0000022a: DUP1 0000022b: ISZERO 0000022c: PUSH2 0x0234 0000022f: JUMPI 00000230: PUSH1 0x00 00000232: DUP1 00000233: REVERT 00000234: JUMPDEST 00000235: POP 00000236: PUSH2 0x00eb 00000239: PUSH1 0x04 0000023b: DUP1 0000023c: CALLDATASIZE 0000023d: SUB 0000023e: PUSH1 0x20 00000240: DUP2 00000241: LT 00000242: ISZERO 00000243: PUSH2 0x024b 00000246: JUMPI 00000247: PUSH1 0x00 00000249: DUP1 0000024a: REVERT 0000024b: JUMPDEST 0000024c: POP 0000024d: CALLDATALOAD 0000024e: PUSH1 0x01 00000250: PUSH1 0x01 00000252: PUSH1 0xa0 00000254: SHL 00000255: SUB 00000256: AND 00000257: PUSH2 0x06f3 0000025a: JUMP 0000025b: JUMPDEST 0000025c: PUSH1 0x01 0000025e: PUSH1 0x01 00000260: PUSH1 0xa0 00000262: SHL 00000263: SUB 00000264: DUP2 00000265: AND 00000266: PUSH1 0x00 00000268: DUP2 00000269: DUP2 0000026a: MSTORE 0000026b: PUSH1 0x03 0000026d: PUSH1 0x20 0000026f: MSTORE 00000270: PUSH1 0x40 00000272: DUP2 00000273: KECCAK256 00000274: SWAP1 00000275: SWAP2 00000276: DUP4 00000277: SWAP1 00000278: DUP4 00000279: SWAP1 0000027a: PUSH2 0x0285 0000027d: JUMPI 0000027e: POP 0000027f: ADDRESS 00000280: BALANCE 00000281: PUSH2 0x02fd 00000284: JUMP 00000285: JUMPDEST 00000286: PUSH1 0x40 00000288: DUP1 00000289: MLOAD 0000028a: PUSH1 0x01 0000028c: PUSH1 0xe0 0000028e: SHL 0000028f: PUSH4 0x70a08231 00000294: MUL 00000295: DUP2 00000296: MSTORE 00000297: ADDRESS 00000298: PUSH1 0x04 0000029a: DUP3 0000029b: ADD 0000029c: MSTORE 0000029d: SWAP1 0000029e: MLOAD 0000029f: PUSH1 0x01 000002a1: PUSH1 0x01 000002a3: PUSH1 0xa0 000002a5: SHL 000002a6: SUB 000002a7: DUP5 000002a8: AND 000002a9: SWAP2 000002aa: PUSH4 0x70a08231 000002af: SWAP2 000002b0: PUSH1 0x24 000002b2: DUP1 000002b3: DUP4 000002b4: ADD 000002b5: SWAP3 000002b6: PUSH1 0x20 000002b8: SWAP3 000002b9: SWAP2 000002ba: SWAP1 000002bb: DUP3 000002bc: SWAP1 000002bd: SUB 000002be: ADD 000002bf: DUP2 000002c0: DUP7 000002c1: DUP1 000002c2: EXTCODESIZE 000002c3: ISZERO 000002c4: DUP1 000002c5: ISZERO 000002c6: PUSH2 0x02ce 000002c9: JUMPI 000002ca: PUSH1 0x00 000002cc: DUP1 000002cd: REVERT 000002ce: JUMPDEST 000002cf: POP 000002d0: GAS 000002d1: STATICCALL 000002d2: ISZERO 000002d3: DUP1 000002d4: ISZERO 000002d5: PUSH2 0x02e2 000002d8: JUMPI 000002d9: RETURNDATASIZE 000002da: PUSH1 0x00 000002dc: DUP1 000002dd: RETURNDATACOPY 000002de: RETURNDATASIZE 000002df: PUSH1 0x00 000002e1: REVERT 000002e2: JUMPDEST 000002e3: POP 000002e4: POP 000002e5: POP 000002e6: POP 000002e7: PUSH1 0x40 000002e9: MLOAD 000002ea: RETURNDATASIZE 000002eb: PUSH1 0x20 000002ed: DUP2 000002ee: LT 000002ef: ISZERO 000002f0: PUSH2 0x02f8 000002f3: JUMPI 000002f4: PUSH1 0x00 000002f6: DUP1 000002f7: REVERT 000002f8: JUMPDEST 000002f9: POP 000002fa: MLOAD 000002fb: SWAP1 000002fc: POP 000002fd: JUMPDEST 000002fe: PUSH1 0x01 00000300: PUSH1 0x01 00000302: PUSH1 0xa0 00000304: SHL 00000305: SUB 00000306: DUP6 00000307: AND 00000308: PUSH1 0x00 0000030a: SWAP1 0000030b: DUP2 0000030c: MSTORE 0000030d: PUSH1 0x01 0000030f: PUSH1 0x20 00000311: MSTORE 00000312: PUSH1 0x40 00000314: SWAP1 00000315: KECCAK256 00000316: SLOAD 00000317: PUSH2 0x0327 0000031a: SWAP1 0000031b: DUP3 0000031c: SWAP1 0000031d: PUSH4 0xffffffff 00000322: PUSH2 0x0705 00000325: AND 00000326: JUMP 00000327: JUMPDEST 00000328: SWAP1 00000329: POP 0000032a: PUSH1 0x00 0000032c: JUMPDEST 0000032d: PUSH1 0x02 0000032f: SLOAD 00000330: DUP2 00000331: LT 00000332: ISZERO 00000333: PUSH2 0x0389 00000336: JUMPI 00000337: PUSH1 0x00 00000339: PUSH1 0x02 0000033b: DUP3 0000033c: DUP2 0000033d: SLOAD 0000033e: DUP2 0000033f: LT 00000340: PUSH2 0x0345 00000343: JUMPI 00000344: INVALID 00000345: JUMPDEST 00000346: PUSH1 0x00 00000348: SWAP2 00000349: DUP3 0000034a: MSTORE 0000034b: PUSH1 0x20 0000034d: SWAP1 0000034e: SWAP2 0000034f: KECCAK256 00000350: ADD 00000351: SLOAD 00000352: PUSH1 0x01 00000354: PUSH1 0x01 00000356: PUSH1 0xa0 00000358: SHL 00000359: SUB 0000035a: AND 0000035b: SWAP1 0000035c: POP 0000035d: DUP6 0000035e: DUP1 0000035f: PUSH2 0x0370 00000362: JUMPI 00000363: POP 00000364: CALLER 00000365: PUSH1 0x01 00000367: PUSH1 0x01 00000369: PUSH1 0xa0 0000036b: SHL 0000036c: SUB 0000036d: DUP3 0000036e: AND 0000036f: EQ 00000370: JUMPDEST 00000371: SWAP6 00000372: POP 00000373: PUSH2 0x037e 00000376: DUP6 00000377: DUP9 00000378: DUP4 00000379: DUP7 0000037a: PUSH2 0x071c 0000037d: JUMP 0000037e: JUMPDEST 0000037f: SWAP3 00000380: POP 00000381: POP 00000382: PUSH1 0x01 00000384: ADD 00000385: PUSH2 0x032c 00000388: JUMP 00000389: JUMPDEST 0000038a: POP 0000038b: DUP4 0000038c: PUSH2 0x0394 0000038f: JUMPI 00000390: PUSH1 0x00 00000392: DUP1 00000393: REVERT 00000394: JUMPDEST 00000395: POP 00000396: POP 00000397: POP 00000398: POP 00000399: POP 0000039a: JUMP 0000039b: JUMPDEST 0000039c: PUSH1 0x00 0000039e: PUSH1 0x20 000003a0: DUP2 000003a1: DUP2 000003a2: MSTORE 000003a3: SWAP3 000003a4: DUP2 000003a5: MSTORE 000003a6: PUSH1 0x40 000003a8: DUP1 000003a9: DUP3 000003aa: KECCAK256 000003ab: SWAP1 000003ac: SWAP4 000003ad: MSTORE 000003ae: SWAP1 000003af: DUP2 000003b0: MSTORE 000003b1: KECCAK256 000003b2: SLOAD 000003b3: DUP2 000003b4: JUMP 000003b5: JUMPDEST 000003b6: PUSH1 0x01 000003b8: PUSH1 0x20 000003ba: MSTORE 000003bb: PUSH1 0x00 000003bd: SWAP1 000003be: DUP2 000003bf: MSTORE 000003c0: PUSH1 0x40 000003c2: SWAP1 000003c3: KECCAK256 000003c4: SLOAD 000003c5: DUP2 000003c6: JUMP 000003c7: JUMPDEST 000003c8: PUSH1 0x01 000003ca: PUSH1 0x01 000003cc: PUSH1 0xa0 000003ce: SHL 000003cf: SUB 000003d0: DUP1 000003d1: DUP4 000003d2: AND 000003d3: PUSH1 0x00 000003d5: SWAP1 000003d6: DUP2 000003d7: MSTORE 000003d8: PUSH1 0x20 000003da: DUP2 000003db: DUP2 000003dc: MSTORE 000003dd: PUSH1 0x40 000003df: DUP1 000003e0: DUP4 000003e1: KECCAK256 000003e2: SWAP4 000003e3: DUP6 000003e4: AND 000003e5: DUP4 000003e6: MSTORE 000003e7: SWAP3 000003e8: SWAP1 000003e9: MSTORE 000003ea: KECCAK256 000003eb: SLOAD 000003ec: DUP1 000003ed: ISZERO 000003ee: PUSH2 0x0459 000003f1: JUMPI 000003f2: PUSH1 0x01 000003f4: PUSH1 0x01 000003f6: PUSH1 0xa0 000003f8: SHL 000003f9: SUB 000003fa: DUP3 000003fb: AND 000003fc: PUSH1 0x00 000003fe: SWAP1 000003ff: DUP2 00000400: MSTORE 00000401: PUSH1 0x01 00000403: PUSH1 0x20 00000405: MSTORE 00000406: PUSH1 0x40 00000408: SWAP1 00000409: KECCAK256 0000040a: SLOAD 0000040b: PUSH2 0x041a 0000040e: SWAP1 0000040f: DUP3 00000410: PUSH4 0xffffffff 00000415: PUSH2 0x0705 00000418: AND 00000419: JUMP 0000041a: JUMPDEST 0000041b: PUSH1 0x01 0000041d: PUSH1 0x01 0000041f: PUSH1 0xa0 00000421: SHL 00000422: SUB 00000423: DUP1 00000424: DUP5 00000425: AND 00000426: PUSH1 0x00 00000428: DUP2 00000429: DUP2 0000042a: MSTORE 0000042b: PUSH1 0x01 0000042d: PUSH1 0x20 0000042f: SWAP1 00000430: DUP2 00000431: MSTORE 00000432: PUSH1 0x40 00000434: DUP1 00000435: DUP4 00000436: KECCAK256 00000437: SWAP6 00000438: SWAP1 00000439: SWAP6 0000043a: SSTORE 0000043b: SWAP3 0000043c: DUP8 0000043d: AND 0000043e: DUP2 0000043f: MSTORE 00000440: DUP1 00000441: DUP4 00000442: MSTORE 00000443: DUP4 00000444: DUP2 00000445: KECCAK256 00000446: SWAP2 00000447: DUP2 00000448: MSTORE 00000449: SWAP2 0000044a: MSTORE 0000044b: SWAP1 0000044c: DUP2 0000044d: KECCAK256 0000044e: SSTORE 0000044f: PUSH2 0x0459 00000452: DUP3 00000453: DUP5 00000454: DUP4 00000455: PUSH2 0x0773 00000458: JUMP 00000459: JUMPDEST 0000045a: POP 0000045b: POP 0000045c: POP 0000045d: JUMP 0000045e: JUMPDEST 0000045f: PUSH2 0x0469 00000462: PUSH1 0x02 00000464: CALLER 00000465: PUSH2 0x087a 00000468: JUMP 00000469: JUMPDEST 0000046a: PUSH2 0x0472 0000046d: JUMPI 0000046e: PUSH1 0x00 00000470: DUP1 00000471: REVERT 00000472: JUMPDEST 00000473: PUSH1 0x01 00000475: PUSH1 0x01 00000477: PUSH1 0xa0 00000479: SHL 0000047a: SUB 0000047b: DUP2 0000047c: AND 0000047d: PUSH1 0x00 0000047f: DUP2 00000480: DUP2 00000481: MSTORE 00000482: PUSH1 0x03 00000484: PUSH1 0x20 00000486: MSTORE 00000487: PUSH1 0x40 00000489: DUP2 0000048a: KECCAK256 0000048b: SWAP2 0000048c: DUP4 0000048d: SWAP2 0000048e: SWAP1 0000048f: PUSH2 0x049a 00000492: JUMPI 00000493: POP 00000494: ADDRESS 00000495: BALANCE 00000496: PUSH2 0x0512 00000499: JUMP 0000049a: JUMPDEST 0000049b: PUSH1 0x40 0000049d: DUP1 0000049e: MLOAD 0000049f: PUSH1 0x01 000004a1: PUSH1 0xe0 000004a3: SHL 000004a4: PUSH4 0x70a08231 000004a9: MUL 000004aa: DUP2 000004ab: MSTORE 000004ac: ADDRESS 000004ad: PUSH1 0x04 000004af: DUP3 000004b0: ADD 000004b1: MSTORE 000004b2: SWAP1 000004b3: MLOAD 000004b4: PUSH1 0x01 000004b6: PUSH1 0x01 000004b8: PUSH1 0xa0 000004ba: SHL 000004bb: SUB 000004bc: DUP5 000004bd: AND 000004be: SWAP2 000004bf: PUSH4 0x70a08231 000004c4: SWAP2 000004c5: PUSH1 0x24 000004c7: DUP1 000004c8: DUP4 000004c9: ADD 000004ca: SWAP3 000004cb: PUSH1 0x20 000004cd: SWAP3 000004ce: SWAP2 000004cf: SWAP1 000004d0: DUP3 000004d1: SWAP1 000004d2: SUB 000004d3: ADD 000004d4: DUP2 000004d5: DUP7 000004d6: DUP1 000004d7: EXTCODESIZE 000004d8: ISZERO 000004d9: DUP1 000004da: ISZERO 000004db: PUSH2 0x04e3 000004de: JUMPI 000004df: PUSH1 0x00 000004e1: DUP1 000004e2: REVERT 000004e3: JUMPDEST 000004e4: POP 000004e5: GAS 000004e6: STATICCALL 000004e7: ISZERO 000004e8: DUP1 000004e9: ISZERO 000004ea: PUSH2 0x04f7 000004ed: JUMPI 000004ee: RETURNDATASIZE 000004ef: PUSH1 0x00 000004f1: DUP1 000004f2: RETURNDATACOPY 000004f3: RETURNDATASIZE 000004f4: PUSH1 0x00 000004f6: REVERT 000004f7: JUMPDEST 000004f8: POP 000004f9: POP 000004fa: POP 000004fb: POP 000004fc: PUSH1 0x40 000004fe: MLOAD 000004ff: RETURNDATASIZE 00000500: PUSH1 0x20 00000502: DUP2 00000503: LT 00000504: ISZERO 00000505: PUSH2 0x050d 00000508: JUMPI 00000509: PUSH1 0x00 0000050b: DUP1 0000050c: REVERT 0000050d: JUMPDEST 0000050e: POP 0000050f: MLOAD 00000510: SWAP1 00000511: POP 00000512: JUMPDEST 00000513: PUSH1 0x01 00000515: PUSH1 0x01 00000517: PUSH1 0xa0 00000519: SHL 0000051a: SUB 0000051b: DUP5 0000051c: AND 0000051d: PUSH1 0x00 0000051f: SWAP1 00000520: DUP2 00000521: MSTORE 00000522: PUSH1 0x01 00000524: PUSH1 0x20 00000526: MSTORE 00000527: PUSH1 0x40 00000529: SWAP1 0000052a: KECCAK256 0000052b: SLOAD 0000052c: PUSH2 0x053c 0000052f: SWAP1 00000530: DUP3 00000531: SWAP1 00000532: PUSH4 0xffffffff 00000537: PUSH2 0x0705 0000053a: AND 0000053b: JUMP 0000053c: JUMPDEST 0000053d: SWAP1 0000053e: POP 0000053f: PUSH2 0x0394 00000542: DUP4 00000543: DUP6 00000544: CALLER 00000545: DUP5 00000546: PUSH2 0x071c 00000549: JUMP 0000054a: JUMPDEST 0000054b: DUP3 0000054c: DUP5 0000054d: LT 0000054e: ISZERO 0000054f: DUP1 00000550: ISZERO 00000551: PUSH2 0x055a 00000554: JUMPI 00000555: POP 00000556: PUSH1 0x00 00000558: DUP5 00000559: GT 0000055a: JUMPDEST 0000055b: PUSH2 0x0563 0000055e: JUMPI 0000055f: PUSH1 0x00 00000561: DUP1 00000562: REVERT 00000563: JUMPDEST 00000564: PUSH1 0x01 00000566: PUSH1 0x01 00000568: PUSH1 0xa0 0000056a: SHL 0000056b: SUB 0000056c: DUP6 0000056d: AND 0000056e: PUSH2 0x0582 00000571: JUMPI 00000572: DUP4 00000573: CALLVALUE 00000574: EQ 00000575: PUSH2 0x057d 00000578: JUMPI 00000579: PUSH1 0x00 0000057b: DUP1 0000057c: REVERT 0000057d: JUMPDEST 0000057e: PUSH2 0x061a 00000581: JUMP 00000582: JUMPDEST 00000583: CALLVALUE 00000584: ISZERO 00000585: PUSH2 0x058d 00000588: JUMPI 00000589: PUSH1 0x00 0000058b: DUP1 0000058c: REVERT 0000058d: JUMPDEST 0000058e: PUSH1 0x40 00000590: DUP1 00000591: MLOAD 00000592: PUSH1 0x01 00000594: PUSH1 0xe0 00000596: SHL 00000597: PUSH4 0x23b872dd 0000059c: MUL 0000059d: DUP2 0000059e: MSTORE 0000059f: CALLER 000005a0: PUSH1 0x04 000005a2: DUP3 000005a3: ADD 000005a4: MSTORE 000005a5: ADDRESS 000005a6: PUSH1 0x24 000005a8: DUP3 000005a9: ADD 000005aa: MSTORE 000005ab: PUSH1 0x44 000005ad: DUP2 000005ae: ADD 000005af: DUP7 000005b0: SWAP1 000005b1: MSTORE 000005b2: SWAP1 000005b3: MLOAD 000005b4: PUSH1 0x01 000005b6: PUSH1 0x01 000005b8: PUSH1 0xa0 000005ba: SHL 000005bb: SUB 000005bc: DUP8 000005bd: AND 000005be: SWAP2 000005bf: PUSH4 0x23b872dd 000005c4: SWAP2 000005c5: PUSH1 0x64 000005c7: DUP1 000005c8: DUP4 000005c9: ADD 000005ca: SWAP3 000005cb: PUSH1 0x20 000005cd: SWAP3 000005ce: SWAP2 000005cf: SWAP1 000005d0: DUP3 000005d1: SWAP1 000005d2: SUB 000005d3: ADD 000005d4: DUP2 000005d5: PUSH1 0x00 000005d7: DUP8 000005d8: DUP1 000005d9: EXTCODESIZE 000005da: ISZERO 000005db: DUP1 000005dc: ISZERO 000005dd: PUSH2 0x05e5 000005e0: JUMPI 000005e1: PUSH1 0x00 000005e3: DUP1 000005e4: REVERT 000005e5: JUMPDEST 000005e6: POP 000005e7: GAS 000005e8: CALL 000005e9: ISZERO 000005ea: DUP1 000005eb: ISZERO 000005ec: PUSH2 0x05f9 000005ef: JUMPI 000005f0: RETURNDATASIZE 000005f1: PUSH1 0x00 000005f3: DUP1 000005f4: RETURNDATACOPY 000005f5: RETURNDATASIZE 000005f6: PUSH1 0x00 000005f8: REVERT 000005f9: JUMPDEST 000005fa: POP 000005fb: POP 000005fc: POP 000005fd: POP 000005fe: PUSH1 0x40 00000600: MLOAD 00000601: RETURNDATASIZE 00000602: PUSH1 0x20 00000604: DUP2 00000605: LT 00000606: ISZERO 00000607: PUSH2 0x060f 0000060a: JUMPI 0000060b: PUSH1 0x00 0000060d: DUP1 0000060e: REVERT 0000060f: JUMPDEST 00000610: POP 00000611: MLOAD 00000612: PUSH2 0x061a 00000615: JUMPI 00000616: PUSH1 0x00 00000618: DUP1 00000619: REVERT 0000061a: JUMPDEST 0000061b: DUP3 0000061c: ISZERO 0000061d: PUSH2 0x0394 00000620: JUMPI 00000621: DUP1 00000622: ISZERO 00000623: PUSH2 0x0636 00000626: JUMPI 00000627: PUSH2 0x0631 0000062a: DUP6 0000062b: DUP4 0000062c: DUP6 0000062d: PUSH2 0x0773 00000630: JUMP 00000631: JUMPDEST 00000632: PUSH2 0x0394 00000635: JUMP 00000636: JUMPDEST 00000637: PUSH1 0x01 00000639: PUSH1 0x01 0000063b: PUSH1 0xa0 0000063d: SHL 0000063e: SUB 0000063f: DUP6 00000640: AND 00000641: PUSH1 0x00 00000643: SWAP1 00000644: DUP2 00000645: MSTORE 00000646: PUSH1 0x01 00000648: PUSH1 0x20 0000064a: MSTORE 0000064b: PUSH1 0x40 0000064d: SWAP1 0000064e: KECCAK256 0000064f: SLOAD 00000650: PUSH2 0x065f 00000653: SWAP1 00000654: DUP5 00000655: PUSH4 0xffffffff 0000065a: PUSH2 0x08d4 0000065d: AND 0000065e: JUMP 0000065f: JUMPDEST 00000660: PUSH1 0x01 00000662: PUSH1 0x01 00000664: PUSH1 0xa0 00000666: SHL 00000667: SUB 00000668: DUP1 00000669: DUP8 0000066a: AND 0000066b: PUSH1 0x00 0000066d: DUP2 0000066e: DUP2 0000066f: MSTORE 00000670: PUSH1 0x01 00000672: PUSH1 0x20 00000674: SWAP1 00000675: DUP2 00000676: MSTORE 00000677: PUSH1 0x40 00000679: DUP1 0000067a: DUP4 0000067b: KECCAK256 0000067c: SWAP6 0000067d: SWAP1 0000067e: SWAP6 0000067f: SSTORE 00000680: SWAP3 00000681: DUP7 00000682: AND 00000683: DUP2 00000684: MSTORE 00000685: DUP1 00000686: DUP4 00000687: MSTORE 00000688: DUP4 00000689: DUP2 0000068a: KECCAK256 0000068b: SWAP2 0000068c: DUP2 0000068d: MSTORE 0000068e: SWAP2 0000068f: MSTORE 00000690: KECCAK256 00000691: SLOAD 00000692: PUSH2 0x06a1 00000695: SWAP1 00000696: DUP5 00000697: PUSH4 0xffffffff 0000069c: PUSH2 0x08d4 0000069f: AND 000006a0: JUMP 000006a1: JUMPDEST 000006a2: PUSH1 0x01 000006a4: PUSH1 0x01 000006a6: PUSH1 0xa0 000006a8: SHL 000006a9: SUB 000006aa: DUP1 000006ab: DUP5 000006ac: AND 000006ad: PUSH1 0x00 000006af: SWAP1 000006b0: DUP2 000006b1: MSTORE 000006b2: PUSH1 0x20 000006b4: DUP2 000006b5: DUP2 000006b6: MSTORE 000006b7: PUSH1 0x40 000006b9: DUP1 000006ba: DUP4 000006bb: KECCAK256 000006bc: SWAP4 000006bd: DUP11 000006be: AND 000006bf: DUP4 000006c0: MSTORE 000006c1: SWAP3 000006c2: SWAP1 000006c3: MSTORE 000006c4: KECCAK256 000006c5: SSTORE 000006c6: POP 000006c7: POP 000006c8: POP 000006c9: POP 000006ca: POP 000006cb: JUMP 000006cc: JUMPDEST 000006cd: PUSH1 0x02 000006cf: DUP2 000006d0: DUP2 000006d1: SLOAD 000006d2: DUP2 000006d3: LT 000006d4: PUSH2 0x06d9 000006d7: JUMPI 000006d8: INVALID 000006d9: JUMPDEST 000006da: PUSH1 0x00 000006dc: SWAP2 000006dd: DUP3 000006de: MSTORE 000006df: PUSH1 0x20 000006e1: SWAP1 000006e2: SWAP2 000006e3: KECCAK256 000006e4: ADD 000006e5: SLOAD 000006e6: PUSH1 0x01 000006e8: PUSH1 0x01 000006ea: PUSH1 0xa0 000006ec: SHL 000006ed: SUB 000006ee: AND 000006ef: SWAP1 000006f0: POP 000006f1: DUP2 000006f2: JUMP 000006f3: JUMPDEST 000006f4: PUSH1 0x03 000006f6: PUSH1 0x20 000006f8: MSTORE 000006f9: PUSH1 0x00 000006fb: SWAP1 000006fc: DUP2 000006fd: MSTORE 000006fe: PUSH1 0x40 00000700: SWAP1 00000701: KECCAK256 00000702: SLOAD 00000703: DUP2 00000704: JUMP 00000705: JUMPDEST 00000706: PUSH1 0x00 00000708: DUP3 00000709: DUP3 0000070a: GT 0000070b: ISZERO 0000070c: PUSH2 0x0711 0000070f: JUMPI 00000710: INVALID 00000711: JUMPDEST 00000712: POP 00000713: DUP1 00000714: DUP3 00000715: SUB 00000716: JUMPDEST 00000717: SWAP3 00000718: SWAP2 00000719: POP 0000071a: POP 0000071b: JUMP 0000071c: JUMPDEST 0000071d: PUSH1 0x40 0000071f: DUP1 00000720: MLOAD 00000721: DUP1 00000722: DUP3 00000723: ADD 00000724: SWAP1 00000725: SWAP2 00000726: MSTORE 00000727: PUSH1 0x01 00000729: DUP2 0000072a: MSTORE 0000072b: PUSH1 0x02 0000072d: SLOAD 0000072e: PUSH1 0x20 00000730: DUP3 00000731: ADD 00000732: MSTORE 00000733: PUSH1 0x00 00000735: SWAP1 00000736: DUP2 00000737: SWAP1 00000738: PUSH2 0x074c 0000073b: SWAP1 0000073c: DUP8 0000073d: SWAP1 0000073e: DUP7 0000073f: SWAP1 00000740: DUP7 00000741: SWAP1 00000742: PUSH4 0xffffffff 00000747: PUSH2 0x08ea 0000074a: AND 0000074b: JUMP 0000074c: JUMPDEST 0000074d: SWAP1 0000074e: POP 0000074f: PUSH2 0x0759 00000752: DUP6 00000753: DUP6 00000754: DUP4 00000755: PUSH2 0x0773 00000758: JUMP 00000759: JUMPDEST 0000075a: PUSH2 0x0769 0000075d: DUP4 0000075e: DUP3 0000075f: PUSH4 0xffffffff 00000764: PUSH2 0x0705 00000767: AND 00000768: JUMP 00000769: JUMPDEST 0000076a: SWAP7 0000076b: SWAP6 0000076c: POP 0000076d: POP 0000076e: POP 0000076f: POP 00000770: POP 00000771: POP 00000772: JUMP 00000773: JUMPDEST 00000774: PUSH1 0x01 00000776: PUSH1 0x01 00000778: PUSH1 0xa0 0000077a: SHL 0000077b: SUB 0000077c: DUP4 0000077d: AND 0000077e: PUSH2 0x07e5 00000781: JUMPI 00000782: PUSH1 0x40 00000784: MLOAD 00000785: PUSH1 0x00 00000787: SWAP1 00000788: PUSH1 0x01 0000078a: PUSH1 0x01 0000078c: PUSH1 0xa0 0000078e: SHL 0000078f: SUB 00000790: DUP5 00000791: AND 00000792: SWAP1 00000793: DUP4 00000794: SWAP1 00000795: DUP4 00000796: DUP2 00000797: DUP2 00000798: DUP2 00000799: DUP6 0000079a: DUP8 0000079b: GAS 0000079c: CALL 0000079d: SWAP3 0000079e: POP 0000079f: POP 000007a0: POP 000007a1: RETURNDATASIZE 000007a2: DUP1 000007a3: PUSH1 0x00 000007a5: DUP2 000007a6: EQ 000007a7: PUSH2 0x07cc 000007aa: JUMPI 000007ab: PUSH1 0x40 000007ad: MLOAD 000007ae: SWAP2 000007af: POP 000007b0: PUSH1 0x1f 000007b2: NOT 000007b3: PUSH1 0x3f 000007b5: RETURNDATASIZE 000007b6: ADD 000007b7: AND 000007b8: DUP3 000007b9: ADD 000007ba: PUSH1 0x40 000007bc: MSTORE 000007bd: RETURNDATASIZE 000007be: DUP3 000007bf: MSTORE 000007c0: RETURNDATASIZE 000007c1: PUSH1 0x00 000007c3: PUSH1 0x20 000007c5: DUP5 000007c6: ADD 000007c7: RETURNDATACOPY 000007c8: PUSH2 0x07d1 000007cb: JUMP 000007cc: JUMPDEST 000007cd: PUSH1 0x60 000007cf: SWAP2 000007d0: POP 000007d1: JUMPDEST 000007d2: POP 000007d3: POP 000007d4: SWAP1 000007d5: POP 000007d6: DUP1 000007d7: PUSH2 0x07df 000007da: JUMPI 000007db: PUSH1 0x00 000007dd: DUP1 000007de: REVERT 000007df: JUMPDEST 000007e0: POP 000007e1: PUSH2 0x0459 000007e4: JUMP 000007e5: JUMPDEST 000007e6: DUP3 000007e7: PUSH1 0x01 000007e9: PUSH1 0x01 000007eb: PUSH1 0xa0 000007ed: SHL 000007ee: SUB 000007ef: AND 000007f0: PUSH4 0xa9059cbb 000007f5: DUP4 000007f6: DUP4 000007f7: PUSH1 0x40 000007f9: MLOAD 000007fa: DUP4 000007fb: PUSH4 0xffffffff 00000800: AND 00000801: PUSH1 0xe0 00000803: SHL 00000804: DUP2 00000805: MSTORE 00000806: PUSH1 0x04 00000808: ADD 00000809: DUP1 0000080a: DUP4 0000080b: PUSH1 0x01 0000080d: PUSH1 0x01 0000080f: PUSH1 0xa0 00000811: SHL 00000812: SUB 00000813: AND 00000814: PUSH1 0x01 00000816: PUSH1 0x01 00000818: PUSH1 0xa0 0000081a: SHL 0000081b: SUB 0000081c: AND 0000081d: DUP2 0000081e: MSTORE 0000081f: PUSH1 0x20 00000821: ADD 00000822: DUP3 00000823: DUP2 00000824: MSTORE 00000825: PUSH1 0x20 00000827: ADD 00000828: SWAP3 00000829: POP 0000082a: POP 0000082b: POP 0000082c: PUSH1 0x20 0000082e: PUSH1 0x40 00000830: MLOAD 00000831: DUP1 00000832: DUP4 00000833: SUB 00000834: DUP2 00000835: PUSH1 0x00 00000837: DUP8 00000838: DUP1 00000839: EXTCODESIZE 0000083a: ISZERO 0000083b: DUP1 0000083c: ISZERO 0000083d: PUSH2 0x0845 00000840: JUMPI 00000841: PUSH1 0x00 00000843: DUP1 00000844: REVERT 00000845: JUMPDEST 00000846: POP 00000847: GAS 00000848: CALL 00000849: ISZERO 0000084a: DUP1 0000084b: ISZERO 0000084c: PUSH2 0x0859 0000084f: JUMPI 00000850: RETURNDATASIZE 00000851: PUSH1 0x00 00000853: DUP1 00000854: RETURNDATACOPY 00000855: RETURNDATASIZE 00000856: PUSH1 0x00 00000858: REVERT 00000859: JUMPDEST 0000085a: POP 0000085b: POP 0000085c: POP 0000085d: POP 0000085e: PUSH1 0x40 00000860: MLOAD 00000861: RETURNDATASIZE 00000862: PUSH1 0x20 00000864: DUP2 00000865: LT 00000866: ISZERO 00000867: PUSH2 0x086f 0000086a: JUMPI 0000086b: PUSH1 0x00 0000086d: DUP1 0000086e: REVERT 0000086f: JUMPDEST 00000870: POP 00000871: MLOAD 00000872: PUSH2 0x0459 00000875: JUMPI 00000876: PUSH1 0x00 00000878: DUP1 00000879: REVERT 0000087a: JUMPDEST 0000087b: PUSH1 0x00 0000087d: DUP1 0000087e: JUMPDEST 0000087f: DUP4 00000880: SLOAD 00000881: DUP2 00000882: LT 00000883: ISZERO 00000884: PUSH2 0x08ca 00000887: JUMPI 00000888: DUP3 00000889: PUSH1 0x01 0000088b: PUSH1 0x01 0000088d: PUSH1 0xa0 0000088f: SHL 00000890: SUB 00000891: AND 00000892: DUP5 00000893: DUP3 00000894: DUP2 00000895: SLOAD 00000896: DUP2 00000897: LT 00000898: PUSH2 0x089d 0000089b: JUMPI 0000089c: INVALID 0000089d: JUMPDEST 0000089e: PUSH1 0x00 000008a0: SWAP2 000008a1: DUP3 000008a2: MSTORE 000008a3: PUSH1 0x20 000008a5: SWAP1 000008a6: SWAP2 000008a7: KECCAK256 000008a8: ADD 000008a9: SLOAD 000008aa: PUSH1 0x01 000008ac: PUSH1 0x01 000008ae: PUSH1 0xa0 000008b0: SHL 000008b1: SUB 000008b2: AND 000008b3: EQ 000008b4: ISZERO 000008b5: PUSH2 0x08c2 000008b8: JUMPI 000008b9: PUSH1 0x01 000008bb: SWAP2 000008bc: POP 000008bd: POP 000008be: PUSH2 0x0716 000008c1: JUMP 000008c2: JUMPDEST 000008c3: PUSH1 0x01 000008c5: ADD 000008c6: PUSH2 0x087e 000008c9: JUMP 000008ca: JUMPDEST 000008cb: POP 000008cc: PUSH1 0x00 000008ce: SWAP4 000008cf: SWAP3 000008d0: POP 000008d1: POP 000008d2: POP 000008d3: JUMP 000008d4: JUMPDEST 000008d5: PUSH1 0x00 000008d7: DUP3 000008d8: DUP3 000008d9: ADD 000008da: DUP4 000008db: DUP2 000008dc: LT 000008dd: ISZERO 000008de: PUSH2 0x08e3 000008e1: JUMPI 000008e2: INVALID 000008e3: JUMPDEST 000008e4: SWAP4 000008e5: SWAP3 000008e6: POP 000008e7: POP 000008e8: POP 000008e9: JUMP 000008ea: JUMPDEST 000008eb: PUSH1 0x00 000008ed: DUP1 000008ee: PUSH2 0x0914 000008f1: PUSH2 0x0907 000008f4: DUP8 000008f5: PUSH1 0x00 000008f7: ADD 000008f8: SLOAD 000008f9: DUP7 000008fa: PUSH2 0x08d4 000008fd: SWAP1 000008fe: SWAP2 000008ff: SWAP1 00000900: PUSH4 0xffffffff 00000905: AND 00000906: JUMP 00000907: JUMPDEST 00000908: DUP5 00000909: SWAP1 0000090a: PUSH4 0xffffffff 0000090f: PUSH2 0x09b7 00000912: AND 00000913: JUMP 00000914: JUMPDEST 00000915: PUSH1 0x01 00000917: PUSH1 0x01 00000919: PUSH1 0xa0 0000091b: SHL 0000091c: SUB 0000091d: DUP7 0000091e: AND 0000091f: PUSH1 0x00 00000921: SWAP1 00000922: DUP2 00000923: MSTORE 00000924: PUSH1 0x01 00000926: DUP9 00000927: ADD 00000928: PUSH1 0x20 0000092a: MSTORE 0000092b: PUSH1 0x40 0000092d: SWAP1 0000092e: KECCAK256 0000092f: SLOAD 00000930: SWAP1 00000931: SWAP2 00000932: POP 00000933: DUP2 00000934: DUP2 00000935: GT 00000936: ISZERO 00000937: PUSH2 0x093c 0000093a: JUMPI 0000093b: INVALID 0000093c: JUMPDEST 0000093d: PUSH1 0x00 0000093f: PUSH2 0x094e 00000942: DUP4 00000943: DUP4 00000944: PUSH4 0xffffffff 00000949: PUSH2 0x0705 0000094c: AND 0000094d: JUMP 0000094e: JUMPDEST 0000094f: PUSH1 0x01 00000951: PUSH1 0x01 00000953: PUSH1 0xa0 00000955: SHL 00000956: SUB 00000957: DUP9 00000958: AND 00000959: PUSH1 0x00 0000095b: SWAP1 0000095c: DUP2 0000095d: MSTORE 0000095e: PUSH1 0x01 00000960: DUP11 00000961: ADD 00000962: PUSH1 0x20 00000964: MSTORE 00000965: PUSH1 0x40 00000967: SWAP1 00000968: KECCAK256 00000969: SLOAD 0000096a: SWAP1 0000096b: SWAP2 0000096c: POP 0000096d: PUSH2 0x097c 00000970: SWAP1 00000971: DUP3 00000972: PUSH4 0xffffffff 00000977: PUSH2 0x08d4 0000097a: AND 0000097b: JUMP 0000097c: JUMPDEST 0000097d: PUSH1 0x01 0000097f: PUSH1 0x01 00000981: PUSH1 0xa0 00000983: SHL 00000984: SUB 00000985: DUP9 00000986: AND 00000987: PUSH1 0x00 00000989: SWAP1 0000098a: DUP2 0000098b: MSTORE 0000098c: PUSH1 0x01 0000098e: DUP11 0000098f: ADD 00000990: PUSH1 0x20 00000992: MSTORE 00000993: PUSH1 0x40 00000995: SWAP1 00000996: KECCAK256 00000997: SSTORE 00000998: DUP8 00000999: SLOAD 0000099a: PUSH2 0x09a9 0000099d: SWAP1 0000099e: DUP3 0000099f: PUSH4 0xffffffff 000009a4: PUSH2 0x08d4 000009a7: AND 000009a8: JUMP 000009a9: JUMPDEST 000009aa: DUP9 000009ab: SSTORE 000009ac: SWAP3 000009ad: POP 000009ae: POP 000009af: POP 000009b0: SWAP5 000009b1: SWAP4 000009b2: POP 000009b3: POP 000009b4: POP 000009b5: POP 000009b6: JUMP 000009b7: JUMPDEST 000009b8: PUSH1 0x20 000009ba: DUP3 000009bb: ADD 000009bc: MLOAD 000009bd: DUP3 000009be: MLOAD 000009bf: PUSH1 0x00 000009c1: SWAP2 000009c2: PUSH2 0x08e3 000009c5: SWAP2 000009c6: PUSH2 0x09d0 000009c9: SWAP1 000009ca: DUP6 000009cb: SWAP1 000009cc: PUSH2 0x09dc 000009cf: JUMP 000009d0: JUMPDEST 000009d1: SWAP1 000009d2: PUSH4 0xffffffff 000009d7: PUSH2 0x0a00 000009da: AND 000009db: JUMP 000009dc: JUMPDEST 000009dd: PUSH1 0x00 000009df: DUP3 000009e0: PUSH2 0x09eb 000009e3: JUMPI 000009e4: POP 000009e5: PUSH1 0x00 000009e7: PUSH2 0x0716 000009ea: JUMP 000009eb: JUMPDEST 000009ec: DUP3 000009ed: DUP3 000009ee: MUL 000009ef: DUP3 000009f0: DUP5 000009f1: DUP3 000009f2: DUP2 000009f3: PUSH2 0x09f8 000009f6: JUMPI 000009f7: INVALID 000009f8: JUMPDEST 000009f9: DIV 000009fa: EQ 000009fb: PUSH2 0x08e3 000009fe: JUMPI 000009ff: INVALID 00000a00: JUMPDEST 00000a01: PUSH1 0x00 00000a03: DUP2 00000a04: DUP4 00000a05: DUP2 00000a06: PUSH2 0x0a0b 00000a09: JUMPI 00000a0a: INVALID 00000a0b: JUMPDEST 00000a0c: DIV 00000a0d: SWAP4 00000a0e: SWAP3 00000a0f: POP 00000a10: POP 00000a11: POP 00000a12: JUMP 00000a13: INVALID 00000a14: LOG1 00000a15: PUSH6 0x627a7a723058 00000a1c: KECCAK256 00000a1d: SWAP15 00000a1e: CREATE2 00000a1f: ISZERO 00000a20: UNKNOWN(0xDB) 00000a21: DUP2 00000a22: UNKNOWN(0xB5) 00000a23: DUP4 00000a24: CODECOPY 00000a25: UNKNOWN(0xBF) 00000a26: EXP 00000a27: PUSH29
| Severity | Category | Tool | Title | Confidence | Validated | Confirmed | Details |
|---|---|---|---|---|---|---|---|
| high | other | detector | Untrusted CALL target/value reachable | 60 | no | no |
viewtrace_id: 0x3f7850ec7410899e391682fbc12c89c4d51fe6011f5adadab46e4c1e900ba93e
call_targets:
0x074403c5a4bccf6454544a5842fe98ddb694a147
target_varies:
no
classification:
constant_target
validation_json{
"sink": "CALL",
"errors": 0,
"status": "sink_reached",
"attempts": 1,
"trace_id": "0x3f7850ec7410899e391682fbc12c89c4d51fe6011f5adadab46e4c1e900ba93e",
"confirmed": false,
"trace_mode": "callTracer",
"call_targets": [
"0x074403c5a4bccf6454544a5842fe98ddb694a147"
],
"matched_probe": null,
"target_varies": false,
"classification": "constant_target"
}
witness_json{
"notes": "heuristic witness; entrypoints are best-effort selectors with zeroed calldata",
"constraints": [],
"entrypoints": [
{
"calldata": "0xab15f691",
"selector": "0xab15f691",
"calldata_variants": [
"0xab15f691",
"0xab15f6910000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0xd6356cd0",
"selector": "0xd6356cd0",
"calldata_variants": [
"0xd6356cd0",
"0xd6356cd00000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0xe75f7ddb",
"selector": "0xe75f7ddb",
"calldata_variants": [
"0xe75f7ddb",
"0xe75f7ddb0000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0xfd8c06c6",
"selector": "0xfd8c06c6",
"calldata_variants": [
"0xfd8c06c6",
"0xfd8c06c60000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x042a2847",
"selector": "0x042a2847",
"calldata_variants": [
"0x042a2847",
"0x042a28470000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x425132f0",
"selector": "0x425132f0",
"calldata_variants": [
"0x425132f0",
"0x425132f00000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x63920c09",
"selector": "0x63920c09",
"calldata_variants": [
"0x63920c09",
"0x63920c090000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0xa6c07924",
"selector": "0xa6c07924",
"calldata_variants": [
"0xa6c07924",
"0xa6c079240000000000000000000000000000000000000000000000000000000000000000"
]
}
]
}
evidence_json{
"examples": [
{
"pc": 1512,
"opcode": "CALL",
"returndata_checked": null,
"value_expression_category": "computed",
"target_expression_category": "computed"
},
{
"pc": 1948,
"opcode": "CALL",
"returndata_checked": null,
"value_expression_category": "computed",
"target_expression_category": "computed"
},
{
"pc": 2120,
"opcode": "CALL",
"returndata_checked": null,
"value_expression_category": "computed",
"target_expression_category": "computed"
}
],
"call_count": 3,
"guards_detected": [],
"untrusted_call_count": 3
}
|
| high | other | detector | ETH value transfer possible | 55 | no | no |
viewtrace_id: 0x3f7850ec7410899e391682fbc12c89c4d51fe6011f5adadab46e4c1e900ba93e
call_targets:
0x074403c5a4bccf6454544a5842fe98ddb694a147
target_varies:
no
classification:
constant_target
validation_json{
"sink": "CALL",
"errors": 0,
"status": "sink_reached",
"attempts": 1,
"trace_id": "0x3f7850ec7410899e391682fbc12c89c4d51fe6011f5adadab46e4c1e900ba93e",
"confirmed": false,
"trace_mode": "callTracer",
"call_targets": [
"0x074403c5a4bccf6454544a5842fe98ddb694a147"
],
"matched_probe": null,
"target_varies": false,
"classification": "constant_target"
}
witness_json{
"notes": "heuristic witness; entrypoints are best-effort selectors with zeroed calldata",
"constraints": [],
"entrypoints": [
{
"calldata": "0xab15f691",
"selector": "0xab15f691",
"calldata_variants": [
"0xab15f691",
"0xab15f6910000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0xd6356cd0",
"selector": "0xd6356cd0",
"calldata_variants": [
"0xd6356cd0",
"0xd6356cd00000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0xe75f7ddb",
"selector": "0xe75f7ddb",
"calldata_variants": [
"0xe75f7ddb",
"0xe75f7ddb0000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0xfd8c06c6",
"selector": "0xfd8c06c6",
"calldata_variants": [
"0xfd8c06c6",
"0xfd8c06c60000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x042a2847",
"selector": "0x042a2847",
"calldata_variants": [
"0x042a2847",
"0x042a28470000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x425132f0",
"selector": "0x425132f0",
"calldata_variants": [
"0x425132f0",
"0x425132f00000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x63920c09",
"selector": "0x63920c09",
"calldata_variants": [
"0x63920c09",
"0x63920c090000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0xa6c07924",
"selector": "0xa6c07924",
"calldata_variants": [
"0xa6c07924",
"0xa6c079240000000000000000000000000000000000000000000000000000000000000000"
]
}
]
}
evidence_json{
"examples": [
{
"pc": 1512,
"opcode": "CALL",
"returndata_checked": null,
"value_expression_category": "computed",
"target_expression_category": "computed"
},
{
"pc": 1948,
"opcode": "CALL",
"returndata_checked": null,
"value_expression_category": "computed",
"target_expression_category": "computed"
},
{
"pc": 2120,
"opcode": "CALL",
"returndata_checked": null,
"value_expression_category": "computed",
"target_expression_category": "computed"
}
],
"eth_value_calls": 3,
"guards_detected": []
}
|
| medium | other | detector | CREATE/CREATE2 reachable | 45 | no | no |
viewtrace_id: 0x21f1c6271f3300b7ccfb5a240b0dd82cd5a38f8b739cf6a10870eca800e2d29a
validation_json{
"sink": "CREATE",
"errors": 0,
"status": "unknown",
"attempts": 16,
"trace_id": "0x21f1c6271f3300b7ccfb5a240b0dd82cd5a38f8b739cf6a10870eca800e2d29a",
"confirmed": false,
"trace_mode": "structLogs",
"call_targets": null,
"matched_probe": null,
"target_varies": null,
"classification": "no_sink"
}
witness_json{
"notes": "heuristic witness; entrypoints are best-effort selectors with zeroed calldata",
"constraints": [],
"entrypoints": [
{
"calldata": "0xab15f691",
"selector": "0xab15f691",
"calldata_variants": [
"0xab15f691",
"0xab15f6910000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0xd6356cd0",
"selector": "0xd6356cd0",
"calldata_variants": [
"0xd6356cd0",
"0xd6356cd00000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0xe75f7ddb",
"selector": "0xe75f7ddb",
"calldata_variants": [
"0xe75f7ddb",
"0xe75f7ddb0000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0xfd8c06c6",
"selector": "0xfd8c06c6",
"calldata_variants": [
"0xfd8c06c6",
"0xfd8c06c60000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x042a2847",
"selector": "0x042a2847",
"calldata_variants": [
"0x042a2847",
"0x042a28470000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x425132f0",
"selector": "0x425132f0",
"calldata_variants": [
"0x425132f0",
"0x425132f00000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x63920c09",
"selector": "0x63920c09",
"calldata_variants": [
"0x63920c09",
"0x63920c090000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0xa6c07924",
"selector": "0xa6c07924",
"calldata_variants": [
"0xa6c07924",
"0xa6c079240000000000000000000000000000000000000000000000000000000000000000"
]
}
]
}
evidence_json{
"create_count": 0,
"create2_count": 1
}
|
| low | other | cast | Contract creation opcode present | 60 | no | — |
viewevidence_json{
"notes": "runtime can deploy contracts dynamically via CREATE/CREATE2",
"create_count": 0,
"create2_count": 1
}
|
| info | other | cast | Heavy EXTCODE*/BALANCE usage | 55 | no | — |
viewevidence_json{
"notes": "frequent external code or balance checks; may indicate introspection or validation logic",
"ext_balance_count": 6
}
|