TW
Tripwire
Find contracts. Test them. Review real vulns.

Analysis Run

a25574b3-98b2-47d6-a359-93e0ea8f3871

complete
Chain ID
1
Address
0x548054687ef6c56c6d82e8269e5fd93d8b88fcb2
Block Number
Created
Thu, Jan 1, 2026 9:11 PM
Review Summary

What survived the funnel

Open this run to answer one question: is this real attacker-relevant behavior with real impact, or just normal contract plumbing?

back to vulns open contract
Confirmed
0
Validated
0
Source
Bytecode only
Review Backing
Not yet
Best current signal
Untrusted DELEGATECALL target reachable
crit 0 high 0 direct contract
Review Checklist
1. Read the findings table first. Ignore raw jobs until the result looks real.
2. Confirm attacker control, not just the existence of a sink.
3. Confirm money or privilege impact.
4. Keep it if the behavior is real. Kill it if this is normal proxy, admin, or upgrade plumbing.

Processing Jobs

Status & attempts
ID Type Status Attempts Heartbeat
31133 report.consolidate complete 1 / 1 3 months ago
76612 artifact.fetch complete 1 / 3 1 week ago
76613 tool.cast_disasm complete 1 / 3 1 week ago
76614 analysis.bundle complete 1 / 3 1 week ago
76615 capability.graph complete 1 / 3 1 week ago
76616 detector.run complete 1 / 3 1 week ago
76617 validation.fork complete 1 / 3 1 week ago

Artifact

Runtime bytecode: available
Creation TX:
Deployer:
Proxy: no
Implementation:
Verified Source: no

Slither

tool.slither

No slither job recorded yet.

Codex

report.consolidate
Job Status
complete
Attempts
1 / 1
Findings
0
No findings?
yes
Summary
Reviewed runtime bytecode: it is a proxy that STATICCALLs a fixed registry (0x657975f60cd55b81e0c029dd0572d5e678b3a9cf) for an implementation address and then DELEGATECALLs. No controllable call target/value transfer or selfdestruct path is visible from bytecode alone.
View stderr 
[codex:1323213] OpenAI Codex v0.77.0 (research preview)
[codex:1323213] --------
[codex:1323213] workdir: /tmp/codex-multi-63gpgari
[codex:1323213] model: gpt-5.2-codex
[codex:1323213] provider: openai
[codex:1323213] approval: never
[codex:1323213] sandbox: read-only
[codex:1323213] reasoning effort: xhigh
[codex:1323213] reasoning summaries: auto
[codex:1323213] session id: 019b7b64-e22b-7d53-908d-8b3c62f80cb9
[codex:1323213] --------
[codex:1323213] user
[codex:1323213] You are a profit-focused exploit hunter analyzing EVM bytecode. Your ONLY goal is finding ways to extract value (ETH, tokens, NFTs) from this contract.
[codex:1323213] 
[codex:1323213] Read `BYTECODE_BUNDLE.txt` completely before concluding.
[codex:1323213] 
[codex:1323213] ONLY REPORT if you find a CONCRETE, EXPLOITABLE path to profit. We do NOT care about:
[codex:1323213] - Gas inefficiency, code quality, or best practices
[codex:1323213] - Theoretical vulnerabilities without a clear extraction path
[codex:1323213] - Generic footguns (unchecked return values, etc.) unless they enable theft
[codex:1323213] - Issues requiring social engineering or off-chain coordination
[codex:1323213] 
[codex:1323213] PATTERNS WORTH INVESTIGATING in bytecode:
[codex:1323213] - CALL/DELEGATECALL with controllable destination or calldata
[codex:1323213] - Value transfers (CALL with non-zero value) without prior CALLER/ORIGIN checks
[codex:1323213] - SSTORE to low slots (0-10) that might be owner/admin storage
[codex:1323213] - ecrecover (signature validation) - look for missing nonce/replay protection
[codex:1323213] - External calls before state updates (reentrancy)
[codex:1323213] - SELFDESTRUCT with controllable beneficiary
[codex:1323213] - Proxy patterns (DELEGATECALL to storage slot) with unprotected upgrade paths
[codex:1323213] 
[codex:1323213] For each finding, you MUST explain:
[codex:1323213] 1. The specific bytecode pattern/offsets that indicate the vulnerability
[codex:1323213] 2. The concrete sequence of transactions to extract value
[codex:1323213] 3. Why you believe this is exploitable (not just suspicious)
[codex:1323213] 
[codex:1323213] If you cannot identify a concrete profit path from bytecode alone: set no_findings=true.
[codex:1323213] Do NOT hallucinate. Bytecode-only analysis is limited - be honest about uncertainty.
[codex:1323213] 
[codex:1323213] Output MUST be valid JSON matching the provided schema.
[codex:1323213] - severity: info, low, medium, high, critical (use high/critical ONLY for clear extraction paths)
[codex:1323213] - category: access_control, reentrancy, math, oracle, upgradeability, auth, other
[codex:1323213] mcp startup: no servers
[codex:1323213] 
[codex:1323213] thinking
[codex:1323213] **Preparing to read instructions**
[codex:1323213] exec
[codex:1323213] /bin/bash -lc ls in /tmp/codex-multi-63gpgari succeeded in 6ms:
[codex:1323213] BYTECODE_BUNDLE.txt
[codex:1323213] codex-output-schema.json
[codex:1323213] 
[codex:1323213] thinking
[codex:1323213] **Reading file**
[codex:1323213] exec
[codex:1323213] /bin/bash -lc 'cat BYTECODE_BUNDLE.txt' in /tmp/codex-multi-63gpgari succeeded in 5ms:
[codex:1323213] Runtime bytecode bundle for best-effort auditing.
[codex:1323213] Note: without verified source, conclusions are low-confidence unless a concrete pattern is visible.
[codex:1323213] 
[codex:1323213] FILE: runtime_bytecode.hex
[codex:1323213] 0x60806040523661005357341561005157336001600160a01b03167fe1fffcc4923d04b559f4d29a8bfc6cda04eb5b0d3c460751c2402c5c5cc9109c34604051610048919061014b565b60405180910390a25b005b34801561005f57600080fd5b5060007f000000000000000000000000657975f60cd55b81e0c029dd0572d5e678b3a9cf6001600160a01b03166334c5c27e6040518163ffffffff1660e01b815260040160206040518083038186803b1580156100bb57600080fd5b505afa1580156100cf573d6000803e3d6000fd5b505050506040513d601f19601f820116820180604052508101906100f3919061011d565b90506040513680600083376000808284865af43d9150816000843e808015610119578284f35b8284fd5b60006020828403121561012e578081fd5b81516001600160a01b0381168114610144578182fd5b9392505050565b9081526020019056fea2646970667358221220fa3e1c9a486274819c5935ce0d309c961eec1f5ffd585eb66cbd1141ed03540164736f6c63430008000033
[codex:1323213] 
[codex:1323213] thinking
[codex:1323213] **Analyzing bytecode for proxy pattern**
[codex:1323213] 
[codex:1323213] I'm carefully parsing the bytecode to understand how this contract acts as a proxy calling a fixed registry address to get an implementation and delegate calls. I'm piecing together the control flow, staticcall usage, and fallback logic to see if any exploitable upgrade paths or vulnerabilities exist purely from the bytecode, while reasoning about event logs and calldata/value checks.
[codex:1323213] exec
[codex:1323213] /bin/bash -lc "python - <<'PY'
[codex:1323213] import binascii, textwrap
[codex:1323213] code=open('BYTECODE_BUNDLE.txt').read().split('0x')[1].split('\\n')[0]
[codex:1323213] code=code.strip()
[codex:1323213] # Convert to bytes
[codex:1323213] b=bytes.fromhex(code)
[codex:1323213] # Opcode map
[codex:1323213] opcodes={
[codex:1323213] 0x00:'STOP',0x01:'ADD',0x02:'MUL',0x03:'SUB',0x04:'DIV',0x05:'SDIV',0x06:'MOD',0x07:'SMOD',0x08:'ADDMOD',0x09:'MULMOD',0x0a:'EXP',0x0b:'SIGNEXTEND',
[codex:1323213] 0x10:'LT',0x11:'GT',0x12:'SLT',0x13:'SGT',0x14:'EQ',0x15:'ISZERO',0x16:'AND',0x17:'OR',0x18:'XOR',0x19:'NOT',0x1a:'BYTE',0x1b:'SHL',0x1c:'SHR',0x1d:'SAR',
[codex:1323213] 0x20:'SHA3',
[codex:1323213] 0x30:'ADDRESS',0x31:'BALANCE',0x32:'ORIGIN',0x33:'CALLER',0x34:'CALLVALUE',0x35:'CALLDATALOAD',0x36:'CALLDATASIZE',0x37:'CALLDATACOPY',0x38:'CODESIZE',0x39:'CODECOPY',0x3a:'GASPRICE',0x3b:'EXTCODESIZE',0x3c:'EXTCODECOPY',0x3d:'RETURNDATASIZE',0x3e:'RETURNDATACOPY',0x3f:'EXTCODEHASH',
[codex:1323213] 0x40:'BLOCKHASH',0x41:'COINBASE',0x42:'TIMESTAMP',0x43:'NUMBER',0x44:'DIFFICULTY',0x45:'GASLIMIT',0x46:'CHAINID',0x47:'SELFBALANCE',0x48:'BASEFEE',
[codex:1323213] 0x50:'POP',0x51:'MLOAD',0x52:'MSTORE',0x53:'MSTORE8',0x54:'SLOAD',0x55:'SSTORE',0x56:'JUMP',0x57:'JUMPI',0x58:'PC',0x59:'MSIZE',0x5a:'GAS',0x5b:'JUMPDEST',0x5c:'TLOAD',0x5d:'TSTORE',0x5e:'MCOPY',0x5f:'PUSH0',
[codex:1323213] 0x60:'PUSH1',0x61:'PUSH2',0x62:'PUSH3',0x63:'PUSH4',0x64:'PUSH5',0x65:'PUSH6',0x66:'PUSH7',0x67:'PUSH8',0x68:'PUSH9',0x69:'PUSH10',0x6a:'PUSH11',0x6b:'PUSH12',0x6c:'PUSH13',0x6d:'PUSH14',0x6e:'PUSH15',0x6f:'PUSH16',
[codex:1323213] 0x70:'PUSH17',0x71:'PUSH18',0x72:'PUSH19',0x73:'PUSH20',0x74:'PUSH21',0x75:'PUSH22',0x76:'PUSH23',0x77:'PUSH24',0x78:'PUSH25',0x79:'PUSH26',0x7a:'PUSH27',0x7b:'PUSH28',0x7c:'PUSH29',0x7d:'PUSH30',0x7e:'PUSH31',0x7f:'PUSH32',
[codex:1323213] 0x80:'DUP1',0x81:'DUP2',0x82:'DUP3',0x83:'DUP4',0x84:'DUP5',0x85:'DUP6',0x86:'DUP7',0x87:'DUP8',0x88:'DUP9',0x89:'DUP10',0x8a:'DUP11',0x8b:'DUP12',0x8c:'DUP13',0x8d:'DUP14',0x8e:'DUP15',0x8f:'DUP16',
[codex:1323213] 0x90:'SWAP1',0x91:'SWAP2',0x92:'SWAP3',0x93:'SWAP4',0x94:'SWAP5',0x95:'SWAP6',0x96:'SWAP7',0x97:'SWAP8',0x98:'SWAP9',0x99:'SWAP10',0x9a:'SWAP11',0x9b:'SWAP12',0x9c:'SWAP13',0x9d:'SWAP14',0x9e:'SWAP15',0x9f:'SWAP16',
[codex:1323213] 0xa0:'LOG0',0xa1:'LOG1',0xa2:'LOG2',0xa3:'LOG3',0xa4:'LOG4',
[codex:1323213] 0xf0:'CREATE',0xf1:'CALL',0xf2:'CALLCODE',0xf3:'RETURN',0xf4:'DELEGATECALL',0xf5:'CREATE2',0xf6:'staticcall?',0xfa:'STATICCALL',0xfd:'REVERT',0xfe:'INVALID',0xff:'SELFDESTRUCT'
[codex:1323213] }
[codex:1323213] 
[codex:1323213] pc=0
[codex:1323213] out=[]
[codex:1323213] while pc < len(b):
[codex:1323213]     op=b[pc]
[codex:1323213]     name=opcodes.get(op, f'OP{op:02x}')
[codex:1323213]     pc0=pc
[codex:1323213]     pc+=1
[codex:1323213]     if 0x60 <= op <= 0x7f:
[codex:1323213]         n=op-0x5f
[codex:1323213]         data=b[pc:pc+n]
[codex:1323213]         pc+=n
[codex:1323213]         out.append(f\"{pc0:04x}: {name} 0x{data.hex()}\")
[codex:1323213]     else:
[codex:1323213]         out.append(f\"{pc0:04x}: {name}\")
[codex:1323213] 
[codex:1323213] print(\"\\n\".join(out))
[codex:1323213] PY" in /tmp/codex-multi-63gpgari succeeded in 26ms:
[codex:1323213] 0000: PUSH1 0x80
[codex:1323213] 0002: PUSH1 0x40
[codex:1323213] 0004: MSTORE
[codex:1323213] 0005: CALLDATASIZE
[codex:1323213] 0006: PUSH2 0x0053
[codex:1323213] 0009: JUMPI
[codex:1323213] 000a: CALLVALUE
[codex:1323213] 000b: ISZERO
[codex:1323213] 000c: PUSH2 0x0051
[codex:1323213] 000f: JUMPI
[codex:1323213] 0010: CALLER
[codex:1323213] 0011: PUSH1 0x01
[codex:1323213] 0013: PUSH1 0x01
[codex:1323213] 0015: PUSH1 0xa0
[codex:1323213] 0017: SHL
[codex:1323213] 0018: SUB
[codex:1323213] 0019: AND
[codex:1323213] 001a: PUSH32 0xe1fffcc4923d04b559f4d29a8bfc6cda04eb5b0d3c460751c2402c5c5cc9109c
[codex:1323213] 003b: CALLVALUE
[codex:1323213] 003c: PUSH1 0x40
[codex:1323213] 
[codex:1323213] thinking
[codex:1323213] **Summarizing bytecode analysis findings**
[codex:1323213] 
[codex:1323213] This bytecode looks like a proxy that staticcalls a fixed registry to fetch its implementation and then delegatecalls it; calls with nonzero calldata require zero value, and no selfdestruct or controllable target or value transfer is visible. I’m preparing a precise JSON summary confirming no exploit path found, sticking strictly to the required schema and cautious about output validity.
[codex:1323213] codex
[codex:1323213] {"no_findings":true,"summary":"Reviewed runtime bytecode: it is a proxy that STATICCALLs a fixed registry (0x657975f60cd55b81e0c029dd0572d5e678b3a9cf) for an implementation address and then DELEGATECALLs. No controllable call target/value transfer or selfdestruct path is visible from bytecode alone.","findings":[]}
[codex:1323213] tokens used
[codex:1323213] 16,341
[codex:1323213] {"no_findings":true,"summary":"Reviewed runtime bytecode: it is a proxy that STATICCALLs a fixed registry (0x657975f60cd55b81e0c029dd0572d5e678b3a9cf) for an implementation address and then DELEGATECALLs. No controllable call target/value transfer or selfdestruct path is visible from bytecode alone.","findings":[]}
Metadata 
{
    "codex": {
        "ran_at": "2026-01-01T21:11:22.608794+00:00",
        "returncode": 0
    },
    "summary": "Reviewed runtime bytecode: it is a proxy that STATICCALLs a fixed registry (0x657975f60cd55b81e0c029dd0572d5e678b3a9cf) for an implementation address and then DELEGATECALLs. No controllable call target/value transfer or selfdestruct path is visible from bytecode alone.",
    "raw_final": {
        "summary": "Reviewed runtime bytecode: it is a proxy that STATICCALLs a fixed registry (0x657975f60cd55b81e0c029dd0572d5e678b3a9cf) for an implementation address and then DELEGATECALLs. No controllable call target/value transfer or selfdestruct path is visible from bytecode alone.",
        "findings": [],
        "no_findings": true
    },
    "no_findings": true,
    "schema_version": 1
}

Opcode Heuristics

tool.cast_disasm
Delegatecall
1
Selfdestruct
0
CREATE2
0
CALL-family (heavy)
2
EXT*/BALANCE
1
Total opcodes
243
Flags
delegatecall_present
View cast disassembly output 
00000000: PUSH1 0x80
00000002: PUSH1 0x40
00000004: MSTORE
00000005: CALLDATASIZE
00000006: PUSH2 0x0053
00000009: JUMPI
0000000a: CALLVALUE
0000000b: ISZERO
0000000c: PUSH2 0x0051
0000000f: JUMPI
00000010: CALLER
00000011: PUSH1 0x01
00000013: PUSH1 0x01
00000015: PUSH1 0xa0
00000017: SHL
00000018: SUB
00000019: AND
0000001a: PUSH32 0xe1fffcc4923d04b559f4d29a8bfc6cda04eb5b0d3c460751c2402c5c5cc9109c
0000003b: CALLVALUE
0000003c: PUSH1 0x40
0000003e: MLOAD
0000003f: PUSH2 0x0048
00000042: SWAP2
00000043: SWAP1
00000044: PUSH2 0x014b
00000047: JUMP
00000048: JUMPDEST
00000049: PUSH1 0x40
0000004b: MLOAD
0000004c: DUP1
0000004d: SWAP2
0000004e: SUB
0000004f: SWAP1
00000050: LOG2
00000051: JUMPDEST
00000052: STOP
00000053: JUMPDEST
00000054: CALLVALUE
00000055: DUP1
00000056: ISZERO
00000057: PUSH2 0x005f
0000005a: JUMPI
0000005b: PUSH1 0x00
0000005d: DUP1
0000005e: REVERT
0000005f: JUMPDEST
00000060: POP
00000061: PUSH1 0x00
00000063: PUSH32 0x000000000000000000000000657975f60cd55b81e0c029dd0572d5e678b3a9cf
00000084: PUSH1 0x01
00000086: PUSH1 0x01
00000088: PUSH1 0xa0
0000008a: SHL
0000008b: SUB
0000008c: AND
0000008d: PUSH4 0x34c5c27e
00000092: PUSH1 0x40
00000094: MLOAD
00000095: DUP2
00000096: PUSH4 0xffffffff
0000009b: AND
0000009c: PUSH1 0xe0
0000009e: SHL
0000009f: DUP2
000000a0: MSTORE
000000a1: PUSH1 0x04
000000a3: ADD
000000a4: PUSH1 0x20
000000a6: PUSH1 0x40
000000a8: MLOAD
000000a9: DUP1
000000aa: DUP4
000000ab: SUB
000000ac: DUP2
000000ad: DUP7
000000ae: DUP1
000000af: EXTCODESIZE
000000b0: ISZERO
000000b1: DUP1
000000b2: ISZERO
000000b3: PUSH2 0x00bb
000000b6: JUMPI
000000b7: PUSH1 0x00
000000b9: DUP1
000000ba: REVERT
000000bb: JUMPDEST
000000bc: POP
000000bd: GAS
000000be: STATICCALL
000000bf: ISZERO
000000c0: DUP1
000000c1: ISZERO
000000c2: PUSH2 0x00cf
000000c5: JUMPI
000000c6: RETURNDATASIZE
000000c7: PUSH1 0x00
000000c9: DUP1
000000ca: RETURNDATACOPY
000000cb: RETURNDATASIZE
000000cc: PUSH1 0x00
000000ce: REVERT
000000cf: JUMPDEST
000000d0: POP
000000d1: POP
000000d2: POP
000000d3: POP
000000d4: PUSH1 0x40
000000d6: MLOAD
000000d7: RETURNDATASIZE
000000d8: PUSH1 0x1f
000000da: NOT
000000db: PUSH1 0x1f
000000dd: DUP3
000000de: ADD
000000df: AND
000000e0: DUP3
000000e1: ADD
000000e2: DUP1
000000e3: PUSH1 0x40
000000e5: MSTORE
000000e6: POP
000000e7: DUP2
000000e8: ADD
000000e9: SWAP1
000000ea: PUSH2 0x00f3
000000ed: SWAP2
000000ee: SWAP1
000000ef: PUSH2 0x011d
000000f2: JUMP
000000f3: JUMPDEST
000000f4: SWAP1
000000f5: POP
000000f6: PUSH1 0x40
000000f8: MLOAD
000000f9: CALLDATASIZE
000000fa: DUP1
000000fb: PUSH1 0x00
000000fd: DUP4
000000fe: CALLDATACOPY
000000ff: PUSH1 0x00
00000101: DUP1
00000102: DUP3
00000103: DUP5
00000104: DUP7
00000105: GAS
00000106: DELEGATECALL
00000107: RETURNDATASIZE
00000108: SWAP2
00000109: POP
0000010a: DUP2
0000010b: PUSH1 0x00
0000010d: DUP5
0000010e: RETURNDATACOPY
0000010f: DUP1
00000110: DUP1
00000111: ISZERO
00000112: PUSH2 0x0119
00000115: JUMPI
00000116: DUP3
00000117: DUP5
00000118: RETURN
00000119: JUMPDEST
0000011a: DUP3
0000011b: DUP5
0000011c: REVERT
0000011d: JUMPDEST
0000011e: PUSH1 0x00
00000120: PUSH1 0x20
00000122: DUP3
00000123: DUP5
00000124: SUB
00000125: SLT
00000126: ISZERO
00000127: PUSH2 0x012e
0000012a: JUMPI
0000012b: DUP1
0000012c: DUP2
0000012d: REVERT
0000012e: JUMPDEST
0000012f: DUP2
00000130: MLOAD
00000131: PUSH1 0x01
00000133: PUSH1 0x01
00000135: PUSH1 0xa0
00000137: SHL
00000138: SUB
00000139: DUP2
0000013a: AND
0000013b: DUP2
0000013c: EQ
0000013d: PUSH2 0x0144
00000140: JUMPI
00000141: DUP2
00000142: DUP3
00000143: REVERT
00000144: JUMPDEST
00000145: SWAP4
00000146: SWAP3
00000147: POP
00000148: POP
00000149: POP
0000014a: JUMP
0000014b: JUMPDEST
0000014c: SWAP1
0000014d: DUP2
0000014e: MSTORE
0000014f: PUSH1 0x20
00000151: ADD
00000152: SWAP1
00000153: JUMP
00000154: INVALID
00000155: LOG2
00000156: PUSH5 0x6970667358
0000015c: UNKNOWN(0x22)
0000015d: SLT
0000015e: KECCAK256
0000015f: STATICCALL
00000160: RETURNDATACOPY
00000161: SHR
00000162: SWAP11
00000163: BASEFEE
00000164: PUSH3 0x74819c
00000168: MSIZE
00000169: CALLDATALOAD
0000016a: UNKNOWN(0xCE)
0000016b: UNKNOWN(0x0D)
0000016c: ADDRESS
0000016d: SWAP13
0000016e: SWAP7
0000016f: CLZ
00000170: UNKNOWN(0xEC)
00000171: UNKNOWN(0x1F)
00000172: PUSH0
00000173: REVERT
00000174: PC
00000175: MCOPY
00000176: UNKNOWN(0xB6)
00000177: PUSH13 0xbd1141ed03540164736f6c6343
00000185: STOP
00000186: ADDMOD
00000187: STOP
00000188: STOP
00000189: CALLER

Findings

validated = confirmed for call sinks; sink observed for others
Severity Category Tool Title Confidence Validated Confirmed Details
critical upgradeability detector Untrusted DELEGATECALL target reachable 70 no no
view
validation_json 
{
    "sink": "DELEGATECALL",
    "errors": 10,
    "status": "unknown",
    "attempts": 11,
    "confirmed": false,
    "trace_mode": "callTracer",
    "call_targets": null,
    "matched_probe": null,
    "target_varies": null,
    "classification": "no_sink"
}
witness_json 
{
    "notes": "heuristic witness; entrypoints are best-effort selectors with zeroed calldata",
    "constraints": [],
    "entrypoints": [
        {
            "calldata": "0x",
            "selector": "fallback",
            "calldata_variants": [
                "0x"
            ]
        }
    ]
}
evidence_json 
{
    "examples": [
        {
            "pc": 262,
            "opcode": "DELEGATECALL",
            "returndata_checked": null,
            "value_expression_category": "n/a",
            "target_expression_category": "computed"
        }
    ],
    "guards_detected": [],
    "delegatecall_count": 1,
    "untrusted_delegatecall_count": 1
}
medium upgradeability cast DELEGATECALL present 80 no
view
evidence_json 
{
    "notes": "delegatecall enables execution in caller context; common in proxies/upgradeable patterns",
    "delegatecall_count": 1
}