TW
Tripwire
Find contracts. Test them. Review real vulns.

Analysis Run

bbccc818-bed4-42f3-ab86-cad202273cd6

failed
Chain ID
1
Address
0xc52b9ae03d971954701b07090c57d993edcfbe79
Block Number
Created
Mon, Jan 5, 2026 8:17 PM
Review Summary

What survived the funnel

Open this run to answer one question: is this real attacker-relevant behavior with real impact, or just normal contract plumbing?

back to vulns open contract
Confirmed
0
Validated
0
Source
Verified
Review Backing
Not yet
Best current signal
Authorization based on tx.origin
crit 0 high 0 direct contract
Review Checklist
1. Read the findings table first. Ignore raw jobs until the result looks real.
2. Confirm attacker control, not just the existence of a sink.
3. Confirm money or privilege impact.
4. Keep it if the behavior is real. Kill it if this is normal proxy, admin, or upgrade plumbing.

Processing Jobs

Status & attempts
ID Type Status Attempts Heartbeat
31749 report.consolidate complete 1 / 1 3 months ago
95917 artifact.fetch failed 1 / 3 1 week ago
95918 tool.cast_disasm complete 1 / 3 1 week ago
95919 analysis.bundle complete 1 / 3 1 week ago
95920 capability.graph complete 1 / 3 1 week ago
95921 detector.run complete 1 / 3 1 week ago
95922 validation.fork complete 1 / 3 1 week ago

Artifact

Runtime bytecode: available
Creation TX:
Deployer:
Proxy: no
Implementation:
Verified Source: yes

Slither

tool.slither

No slither job recorded yet.

Codex

report.consolidate
Job Status
complete
Attempts
1 / 1
Findings
0
No findings?
yes
Summary
Reviewed ERC4626Migrator; no concrete exploit path to extract value found.
View stderr 
[codex:847604] OpenAI Codex v0.77.0 (research preview)
[codex:847604] --------
[codex:847604] workdir: /tmp/codex-multi-z1hifcbh
[codex:847604] model: gpt-5.2-codex
[codex:847604] provider: openai
[codex:847604] approval: never
[codex:847604] sandbox: read-only
[codex:847604] reasoning effort: xhigh
[codex:847604] reasoning summaries: auto
[codex:847604] session id: 019b8fce-66f4-7400-bf17-57cc8e9140c6
[codex:847604] --------
[codex:847604] user
[codex:847604] You are a profit-focused exploit hunter. Your ONLY goal is finding ways to extract value (ETH, tokens, NFTs) from this contract.
[codex:847604] 
[codex:847604] Read `AUDIT_BUNDLE.txt` completely before concluding. Treat `lib/` and `@openzeppelin/` as trusted unless misused.
[codex:847604] 
[codex:847604] ONLY REPORT if you find a CONCRETE, EXPLOITABLE path to profit. We do NOT care about:
[codex:847604] - Gas inefficiency, code quality, naming, or best practices
[codex:847604] - Theoretical vulnerabilities without a clear extraction path
[codex:847604] - Centralization risks (admin can rug) - assume admin keys are secure
[codex:847604] - Front-running unless it enables theft beyond MEV
[codex:847604] - DoS, griefing, or issues that don't result in attacker profit
[codex:847604] - Missing events, view function issues, or informational findings
[codex:847604] 
[codex:847604] HIGH-VALUE PATTERNS TO HUNT:
[codex:847604] - Reentrancy: external calls before state updates that allow double-withdrawal
[codex:847604] - Access control: missing/bypassable auth on withdraw, transfer, or mint functions
[codex:847604] - Flash loan attacks: borrow -> manipulate -> profit in single tx
[codex:847604] - Price oracle manipulation: TWAP with short window, spot price reads, stale prices
[codex:847604] - Signature replay: missing nonce, chainId, or deadline in permit/meta-tx
[codex:847604] - Proxy hijacking: unprotected initialize(), storage collision, UUPS without auth
[codex:847604] - Accounting errors: rounding that favors attacker, share inflation, first depositor attacks
[codex:847604] - Unchecked external calls: return value ignored on token transfers enabling fake tokens
[codex:847604] - Cross-function reentrancy: state read in function A, modified via reentrant call, used stale in A
[codex:847604] 
[codex:847604] For each finding, you MUST provide:
[codex:847604] 1. Exact file and line numbers of vulnerable code
[codex:847604] 2. Step-by-step exploit transaction sequence
[codex:847604] 3. Estimated profit potential (order of magnitude: contract balance, LP reserves, etc.)
[codex:847604] 
[codex:847604] If no concrete profit path exists: set no_findings=true. Do NOT pad with low-severity noise.
[codex:847604] 
[codex:847604] Output MUST be valid JSON matching the provided schema.
[codex:847604] - severity: info, low, medium, high, critical (use high/critical ONLY for clear extraction paths)
[codex:847604] - category: access_control, reentrancy, math, oracle, upgradeability, auth, other
[codex:847604] mcp startup: no servers
[codex:847604] 
[codex:847604] thinking
[codex:847604] **Preparing to read AUDIT_BUNDLE.txt**
[codex:847604] exec
[codex:847604] /bin/bash -lc ls in /tmp/codex-multi-z1hifcbh succeeded in 5ms:
[codex:847604] AUDIT_BUNDLE.txt
[codex:847604] codex-output-schema.json
[codex:847604] contracts
[codex:847604] exec
[codex:847604] /bin/bash -lc 'cat AUDIT_BUNDLE.txt' in /tmp/codex-multi-z1hifcbh succeeded in 6ms:
[codex:847604] This file concatenates first-party Solidity sources only (lib/@openzeppelin excluded).
[codex:847604] 
[codex:847604] ================================================================================
[codex:847604] FILE: contracts/src/ERC4626Migrator.sol
[codex:847604] ================================================================================
[codex:847604] // SPDX-License-Identifier: AGPL-3.0-only
[codex:847604] pragma solidity 0.8.18;
[codex:847604] 
[codex:847604] import {ERC20} from "solmate/tokens/ERC20.sol";
[codex:847604] import {SafeTransferLib} from "solmate/utils/SafeTransferLib.sol";
[codex:847604] import {FixedPointMathLib} from "solmate/utils/FixedPointMathLib.sol";
[codex:847604] import {ReentrancyGuard} from "solmate/utils/ReentrancyGuard.sol";
[codex:847604] 
[codex:847604] /**
[codex:847604]  * @title ERC4626Migrator
[codex:847604]  * @author LHerskind
[codex:847604]  * @notice Contract to be used for distributing tokens based on their shares of the total supply.
[codex:847604]  * Practically LP tokens that can be migrated to WETH, DAI, and USDC.
[codex:847604]  * WETH, Dai and USDC held by the contract will be used to distribute to users, so that the contract
[codex:847604]  * is funded before users start using it, as they otherwise could simply sacrifice their share of the
[codex:847604] 
[codex:847604] thinking
[codex:847604] **Analyzing ERC4626Migrator exploit potential**
[codex:847604] 
[codex:847604] I'm working through a detailed exploit analysis of the ERC4626Migrator contract, focusing on how its floatingSupply calculation and token transfers interact. I'm testing if attackers can profit by manipulating floatingSupply via token transfers to the contract or using flash loans. So far, my math shows no profitable scenarios because tokens sent to the contract reduce floatingSupply but don't return assets, preventing gain. I also consider edge cases like zero floatingSupply, reentrancy, and deflationary tokens, but none yield concrete exploits. Overall, it looks secure with no findings, so I'll produce a JSON summary stating no exploit was found.
[codex:847604] codex
[codex:847604] {"no_findings":true,"summary":"Reviewed ERC4626Migrator; no concrete exploit path to extract value found.","findings":[]}
[codex:847604] tokens used
[codex:847604] 8,865
[codex:847604] {"no_findings":true,"summary":"Reviewed ERC4626Migrator; no concrete exploit path to extract value found.","findings":[]}
Metadata 
{
    "codex": {
        "ran_at": "2026-01-05T20:17:53.648467+00:00",
        "returncode": 0
    },
    "summary": "Reviewed ERC4626Migrator; no concrete exploit path to extract value found.",
    "raw_final": {
        "summary": "Reviewed ERC4626Migrator; no concrete exploit path to extract value found.",
        "findings": [],
        "no_findings": true
    },
    "no_findings": true,
    "schema_version": 1
}

Opcode Heuristics

tool.cast_disasm
Delegatecall
0
Selfdestruct
0
CREATE2
0
CALL-family (heavy)
8
EXT*/BALANCE
0
Total opcodes
1082
Flags
No heuristic flags raised.
View cast disassembly output 
00000000: PUSH1 0x80
00000002: PUSH1 0x40
00000004: MSTORE
00000005: CALLVALUE
00000006: DUP1
00000007: ISZERO
00000008: PUSH2 0x0010
0000000b: JUMPI
0000000c: PUSH1 0x00
0000000e: DUP1
0000000f: REVERT
00000010: JUMPDEST
00000011: POP
00000012: PUSH1 0x04
00000014: CALLDATASIZE
00000015: LT
00000016: PUSH2 0x0062
00000019: JUMPI
0000001a: PUSH1 0x00
0000001c: CALLDATALOAD
0000001d: PUSH1 0xe0
0000001f: SHR
00000020: DUP1
00000021: PUSH4 0x34981905
00000026: EQ
00000027: PUSH2 0x0067
0000002a: JUMPI
0000002b: DUP1
0000002c: PUSH4 0x6dcb9d01
00000031: EQ
00000032: PUSH2 0x00ab
00000035: JUMPI
00000036: DUP1
00000037: PUSH4 0x8277908b
0000003c: EQ
0000003d: PUSH2 0x00e0
00000040: JUMPI
00000041: DUP1
00000042: PUSH4 0x89a30271
00000047: EQ
00000048: PUSH2 0x010e
0000004b: JUMPI
0000004c: DUP1
0000004d: PUSH4 0xad5c4648
00000052: EQ
00000053: PUSH2 0x0129
00000056: JUMPI
00000057: DUP1
00000058: PUSH4 0xe0bab4c4
0000005d: EQ
0000005e: PUSH2 0x0144
00000061: JUMPI
00000062: JUMPDEST
00000063: PUSH1 0x00
00000065: DUP1
00000066: REVERT
00000067: JUMPDEST
00000068: PUSH2 0x008e
0000006b: PUSH32 0x0000000000000000000000003c66b18f67ca6c1a71f829e2f6a0c987f97462d0
0000008c: DUP2
0000008d: JUMP
0000008e: JUMPDEST
0000008f: PUSH1 0x40
00000091: MLOAD
00000092: PUSH1 0x01
00000094: PUSH1 0x01
00000096: PUSH1 0xa0
00000098: SHL
00000099: SUB
0000009a: SWAP1
0000009b: SWAP2
0000009c: AND
0000009d: DUP2
0000009e: MSTORE
0000009f: PUSH1 0x20
000000a1: ADD
000000a2: JUMPDEST
000000a3: PUSH1 0x40
000000a5: MLOAD
000000a6: DUP1
000000a7: SWAP2
000000a8: SUB
000000a9: SWAP1
000000aa: RETURN
000000ab: JUMPDEST
000000ac: PUSH2 0x00d2
000000af: PUSH32 0x427a506ff6e15bd1b7e4e93da52c8ec95f6af1279618a2f076946e83d8294996
000000d0: DUP2
000000d1: JUMP
000000d2: JUMPDEST
000000d3: PUSH1 0x40
000000d5: MLOAD
000000d6: SWAP1
000000d7: DUP2
000000d8: MSTORE
000000d9: PUSH1 0x20
000000db: ADD
000000dc: PUSH2 0x00a2
000000df: JUMP
000000e0: JUMPDEST
000000e1: PUSH2 0x00f3
000000e4: PUSH2 0x00ee
000000e7: CALLDATASIZE
000000e8: PUSH1 0x04
000000ea: PUSH2 0x0725
000000ed: JUMP
000000ee: JUMPDEST
000000ef: PUSH2 0x015f
000000f2: JUMP
000000f3: JUMPDEST
000000f4: PUSH1 0x40
000000f6: DUP1
000000f7: MLOAD
000000f8: SWAP4
000000f9: DUP5
000000fa: MSTORE
000000fb: PUSH1 0x20
000000fd: DUP5
000000fe: ADD
000000ff: SWAP3
00000100: SWAP1
00000101: SWAP3
00000102: MSTORE
00000103: SWAP1
00000104: DUP3
00000105: ADD
00000106: MSTORE
00000107: PUSH1 0x60
00000109: ADD
0000010a: PUSH2 0x00a2
0000010d: JUMP
0000010e: JUMPDEST
0000010f: PUSH2 0x008e
00000112: PUSH20 0xa0b86991c6218b36c1d19d4a2e9eb0ce3606eb48
00000127: DUP2
00000128: JUMP
00000129: JUMPDEST
0000012a: PUSH2 0x008e
0000012d: PUSH20 0xc02aaa39b223fe8d0a0e5c4f27ead9083c756cc2
00000142: DUP2
00000143: JUMP
00000144: JUMPDEST
00000145: PUSH2 0x008e
00000148: PUSH20 0x6b175474e89094c44da98b954eedeac495271d0f
0000015d: DUP2
0000015e: JUMP
0000015f: JUMPDEST
00000160: PUSH1 0x00
00000162: DUP1
00000163: PUSH1 0x00
00000165: DUP1
00000166: SLOAD
00000167: PUSH1 0x01
00000169: EQ
0000016a: PUSH2 0x01a7
0000016d: JUMPI
0000016e: PUSH1 0x40
00000170: MLOAD
00000171: PUSH3 0x461bcd
00000175: PUSH1 0xe5
00000177: SHL
00000178: DUP2
00000179: MSTORE
0000017a: PUSH1 0x20
0000017c: PUSH1 0x04
0000017e: DUP3
0000017f: ADD
00000180: MSTORE
00000181: PUSH1 0x0a
00000183: PUSH1 0x24
00000185: DUP3
00000186: ADD
00000187: MSTORE
00000188: PUSH10 0x5245454e5452414e4359
00000193: PUSH1 0xb0
00000195: SHL
00000196: PUSH1 0x44
00000198: DUP3
00000199: ADD
0000019a: MSTORE
0000019b: PUSH1 0x64
0000019d: ADD
0000019e: JUMPDEST
0000019f: PUSH1 0x40
000001a1: MLOAD
000001a2: DUP1
000001a3: SWAP2
000001a4: SUB
000001a5: SWAP1
000001a6: REVERT
000001a7: JUMPDEST
000001a8: PUSH1 0x02
000001aa: PUSH1 0x00
000001ac: SSTORE
000001ad: PUSH1 0x40
000001af: MLOAD
000001b0: PUSH12 0xffffffffffffffffffffffff
000001bd: NOT
000001be: CALLER
000001bf: PUSH1 0x60
000001c1: SHL
000001c2: AND
000001c3: PUSH1 0x20
000001c5: DUP3
000001c6: ADD
000001c7: MSTORE
000001c8: PUSH32 0x427a506ff6e15bd1b7e4e93da52c8ec95f6af1279618a2f076946e83d8294996
000001e9: PUSH1 0x34
000001eb: DUP3
000001ec: ADD
000001ed: MSTORE
000001ee: PUSH1 0x54
000001f0: ADD
000001f1: PUSH1 0x40
000001f3: MLOAD
000001f4: PUSH1 0x20
000001f6: DUP2
000001f7: DUP4
000001f8: SUB
000001f9: SUB
000001fa: DUP2
000001fb: MSTORE
000001fc: SWAP1
000001fd: PUSH1 0x40
000001ff: MSTORE
00000200: DUP1
00000201: MLOAD
00000202: SWAP1
00000203: PUSH1 0x20
00000205: ADD
00000206: KECCAK256
00000207: DUP5
00000208: EQ
00000209: PUSH2 0x022e
0000020c: JUMPI
0000020d: PUSH1 0x40
0000020f: MLOAD
00000210: PUSH4 0xb55b4077
00000215: PUSH1 0xe0
00000217: SHL
00000218: DUP2
00000219: MSTORE
0000021a: CALLER
0000021b: PUSH1 0x04
0000021d: DUP3
0000021e: ADD
0000021f: MSTORE
00000220: PUSH1 0x24
00000222: DUP2
00000223: ADD
00000224: DUP6
00000225: SWAP1
00000226: MSTORE
00000227: PUSH1 0x44
00000229: ADD
0000022a: PUSH2 0x019e
0000022d: JUMP
0000022e: JUMPDEST
0000022f: PUSH1 0x00
00000231: DUP1
00000232: PUSH1 0x00
00000234: PUSH2 0x023c
00000237: DUP9
00000238: PUSH2 0x0344
0000023b: JUMP
0000023c: JUMPDEST
0000023d: SWAP2
0000023e: SWAP5
0000023f: POP
00000240: SWAP3
00000241: POP
00000242: SWAP1
00000243: POP
00000244: PUSH2 0x0278
00000247: PUSH1 0x01
00000249: PUSH1 0x01
0000024b: PUSH1 0xa0
0000024d: SHL
0000024e: SUB
0000024f: PUSH32 0x0000000000000000000000003c66b18f67ca6c1a71f829e2f6a0c987f97462d0
00000270: AND
00000271: CALLER
00000272: ADDRESS
00000273: DUP12
00000274: PUSH2 0x05ff
00000277: JUMP
00000278: JUMPDEST
00000279: DUP3
0000027a: ISZERO
0000027b: PUSH2 0x029d
0000027e: JUMPI
0000027f: PUSH2 0x029d
00000282: PUSH20 0xc02aaa39b223fe8d0a0e5c4f27ead9083c756cc2
00000297: CALLER
00000298: DUP6
00000299: PUSH2 0x0689
0000029c: JUMP
0000029d: JUMPDEST
0000029e: DUP2
0000029f: ISZERO
000002a0: PUSH2 0x02c2
000002a3: JUMPI
000002a4: PUSH2 0x02c2
000002a7: PUSH20 0x6b175474e89094c44da98b954eedeac495271d0f
000002bc: CALLER
000002bd: DUP5
000002be: PUSH2 0x0689
000002c1: JUMP
000002c2: JUMPDEST
000002c3: DUP1
000002c4: ISZERO
000002c5: PUSH2 0x02e7
000002c8: JUMPI
000002c9: PUSH2 0x02e7
000002cc: PUSH20 0xa0b86991c6218b36c1d19d4a2e9eb0ce3606eb48
000002e1: CALLER
000002e2: DUP4
000002e3: PUSH2 0x0689
000002e6: JUMP
000002e7: JUMPDEST
000002e8: PUSH1 0x40
000002ea: DUP1
000002eb: MLOAD
000002ec: DUP10
000002ed: DUP2
000002ee: MSTORE
000002ef: PUSH1 0x20
000002f1: DUP2
000002f2: ADD
000002f3: DUP6
000002f4: SWAP1
000002f5: MSTORE
000002f6: SWAP1
000002f7: DUP2
000002f8: ADD
000002f9: DUP4
000002fa: SWAP1
000002fb: MSTORE
000002fc: PUSH1 0x60
000002fe: DUP2
000002ff: ADD
00000300: DUP3
00000301: SWAP1
00000302: MSTORE
00000303: CALLER
00000304: SWAP1
00000305: PUSH32 0x1f2c20404af41d4504d6da6e9e0259c917db4113acf5cd4b059dc4ebf1ad10d9
00000326: SWAP1
00000327: PUSH1 0x80
00000329: ADD
0000032a: PUSH1 0x40
0000032c: MLOAD
0000032d: DUP1
0000032e: SWAP2
0000032f: SUB
00000330: SWAP1
00000331: LOG2
00000332: PUSH1 0x01
00000334: PUSH1 0x00
00000336: SSTORE
00000337: SWAP2
00000338: SWAP8
00000339: SWAP1
0000033a: SWAP7
0000033b: POP
0000033c: SWAP1
0000033d: SWAP5
0000033e: POP
0000033f: SWAP3
00000340: POP
00000341: POP
00000342: POP
00000343: JUMP
00000344: JUMPDEST
00000345: PUSH1 0x40
00000347: MLOAD
00000348: PUSH4 0x70a08231
0000034d: PUSH1 0xe0
0000034f: SHL
00000350: DUP2
00000351: MSTORE
00000352: ADDRESS
00000353: PUSH1 0x04
00000355: DUP3
00000356: ADD
00000357: MSTORE
00000358: PUSH1 0x00
0000035a: SWAP1
0000035b: DUP2
0000035c: SWAP1
0000035d: DUP2
0000035e: SWAP1
0000035f: DUP2
00000360: SWAP1
00000361: PUSH1 0x01
00000363: PUSH1 0x01
00000365: PUSH1 0xa0
00000367: SHL
00000368: SUB
00000369: PUSH32 0x0000000000000000000000003c66b18f67ca6c1a71f829e2f6a0c987f97462d0
0000038a: AND
0000038b: SWAP1
0000038c: PUSH4 0x70a08231
00000391: SWAP1
00000392: PUSH1 0x24
00000394: ADD
00000395: PUSH1 0x20
00000397: PUSH1 0x40
00000399: MLOAD
0000039a: DUP1
0000039b: DUP4
0000039c: SUB
0000039d: DUP2
0000039e: DUP7
0000039f: GAS
000003a0: STATICCALL
000003a1: ISZERO
000003a2: DUP1
000003a3: ISZERO
000003a4: PUSH2 0x03b1
000003a7: JUMPI
000003a8: RETURNDATASIZE
000003a9: PUSH1 0x00
000003ab: DUP1
000003ac: RETURNDATACOPY
000003ad: RETURNDATASIZE
000003ae: PUSH1 0x00
000003b0: REVERT
000003b1: JUMPDEST
000003b2: POP
000003b3: POP
000003b4: POP
000003b5: POP
000003b6: PUSH1 0x40
000003b8: MLOAD
000003b9: RETURNDATASIZE
000003ba: PUSH1 0x1f
000003bc: NOT
000003bd: PUSH1 0x1f
000003bf: DUP3
000003c0: ADD
000003c1: AND
000003c2: DUP3
000003c3: ADD
000003c4: DUP1
000003c5: PUSH1 0x40
000003c7: MSTORE
000003c8: POP
000003c9: DUP2
000003ca: ADD
000003cb: SWAP1
000003cc: PUSH2 0x03d5
000003cf: SWAP2
000003d0: SWAP1
000003d1: PUSH2 0x0747
000003d4: JUMP
000003d5: JUMPDEST
000003d6: PUSH32 0x0000000000000000000000003c66b18f67ca6c1a71f829e2f6a0c987f97462d0
000003f7: PUSH1 0x01
000003f9: PUSH1 0x01
000003fb: PUSH1 0xa0
000003fd: SHL
000003fe: SUB
000003ff: AND
00000400: PUSH4 0x18160ddd
00000405: PUSH1 0x40
00000407: MLOAD
00000408: DUP2
00000409: PUSH4 0xffffffff
0000040e: AND
0000040f: PUSH1 0xe0
00000411: SHL
00000412: DUP2
00000413: MSTORE
00000414: PUSH1 0x04
00000416: ADD
00000417: PUSH1 0x20
00000419: PUSH1 0x40
0000041b: MLOAD
0000041c: DUP1
0000041d: DUP4
0000041e: SUB
0000041f: DUP2
00000420: DUP7
00000421: GAS
00000422: STATICCALL
00000423: ISZERO
00000424: DUP1
00000425: ISZERO
00000426: PUSH2 0x0433
00000429: JUMPI
0000042a: RETURNDATASIZE
0000042b: PUSH1 0x00
0000042d: DUP1
0000042e: RETURNDATACOPY
0000042f: RETURNDATASIZE
00000430: PUSH1 0x00
00000432: REVERT
00000433: JUMPDEST
00000434: POP
00000435: POP
00000436: POP
00000437: POP
00000438: PUSH1 0x40
0000043a: MLOAD
0000043b: RETURNDATASIZE
0000043c: PUSH1 0x1f
0000043e: NOT
0000043f: PUSH1 0x1f
00000441: DUP3
00000442: ADD
00000443: AND
00000444: DUP3
00000445: ADD
00000446: DUP1
00000447: PUSH1 0x40
00000449: MSTORE
0000044a: POP
0000044b: DUP2
0000044c: ADD
0000044d: SWAP1
0000044e: PUSH2 0x0457
00000451: SWAP2
00000452: SWAP1
00000453: PUSH2 0x0747
00000456: JUMP
00000457: JUMPDEST
00000458: PUSH2 0x0461
0000045b: SWAP2
0000045c: SWAP1
0000045d: PUSH2 0x0760
00000460: JUMP
00000461: JUMPDEST
00000462: PUSH1 0x40
00000464: MLOAD
00000465: PUSH4 0x70a08231
0000046a: PUSH1 0xe0
0000046c: SHL
0000046d: DUP2
0000046e: MSTORE
0000046f: ADDRESS
00000470: PUSH1 0x04
00000472: DUP3
00000473: ADD
00000474: MSTORE
00000475: SWAP1
00000476: SWAP2
00000477: POP
00000478: PUSH1 0x00
0000047a: SWAP1
0000047b: PUSH2 0x04e6
0000047e: SWAP1
0000047f: PUSH20 0xc02aaa39b223fe8d0a0e5c4f27ead9083c756cc2
00000494: SWAP1
00000495: PUSH4 0x70a08231
0000049a: SWAP1
0000049b: PUSH1 0x24
0000049d: ADD
0000049e: PUSH1 0x20
000004a0: PUSH1 0x40
000004a2: MLOAD
000004a3: DUP1
000004a4: DUP4
000004a5: SUB
000004a6: DUP2
000004a7: DUP7
000004a8: GAS
000004a9: STATICCALL
000004aa: ISZERO
000004ab: DUP1
000004ac: ISZERO
000004ad: PUSH2 0x04ba
000004b0: JUMPI
000004b1: RETURNDATASIZE
000004b2: PUSH1 0x00
000004b4: DUP1
000004b5: RETURNDATACOPY
000004b6: RETURNDATASIZE
000004b7: PUSH1 0x00
000004b9: REVERT
000004ba: JUMPDEST
000004bb: POP
000004bc: POP
000004bd: POP
000004be: POP
000004bf: PUSH1 0x40
000004c1: MLOAD
000004c2: RETURNDATASIZE
000004c3: PUSH1 0x1f
000004c5: NOT
000004c6: PUSH1 0x1f
000004c8: DUP3
000004c9: ADD
000004ca: AND
000004cb: DUP3
000004cc: ADD
000004cd: DUP1
000004ce: PUSH1 0x40
000004d0: MSTORE
000004d1: POP
000004d2: DUP2
000004d3: ADD
000004d4: SWAP1
000004d5: PUSH2 0x04de
000004d8: SWAP2
000004d9: SWAP1
000004da: PUSH2 0x0747
000004dd: JUMP
000004de: JUMPDEST
000004df: DUP8
000004e0: SWAP1
000004e1: DUP5
000004e2: PUSH2 0x0707
000004e5: JUMP
000004e6: JUMPDEST
000004e7: PUSH1 0x40
000004e9: MLOAD
000004ea: PUSH4 0x70a08231
000004ef: PUSH1 0xe0
000004f1: SHL
000004f2: DUP2
000004f3: MSTORE
000004f4: ADDRESS
000004f5: PUSH1 0x04
000004f7: DUP3
000004f8: ADD
000004f9: MSTORE
000004fa: SWAP1
000004fb: SWAP2
000004fc: POP
000004fd: PUSH1 0x00
000004ff: SWAP1
00000500: PUSH2 0x056b
00000503: SWAP1
00000504: PUSH20 0x6b175474e89094c44da98b954eedeac495271d0f
00000519: SWAP1
0000051a: PUSH4 0x70a08231
0000051f: SWAP1
00000520: PUSH1 0x24
00000522: ADD
00000523: PUSH1 0x20
00000525: PUSH1 0x40
00000527: MLOAD
00000528: DUP1
00000529: DUP4
0000052a: SUB
0000052b: DUP2
0000052c: DUP7
0000052d: GAS
0000052e: STATICCALL
0000052f: ISZERO
00000530: DUP1
00000531: ISZERO
00000532: PUSH2 0x053f
00000535: JUMPI
00000536: RETURNDATASIZE
00000537: PUSH1 0x00
00000539: DUP1
0000053a: RETURNDATACOPY
0000053b: RETURNDATASIZE
0000053c: PUSH1 0x00
0000053e: REVERT
0000053f: JUMPDEST
00000540: POP
00000541: POP
00000542: POP
00000543: POP
00000544: PUSH1 0x40
00000546: MLOAD
00000547: RETURNDATASIZE
00000548: PUSH1 0x1f
0000054a: NOT
0000054b: PUSH1 0x1f
0000054d: DUP3
0000054e: ADD
0000054f: AND
00000550: DUP3
00000551: ADD
00000552: DUP1
00000553: PUSH1 0x40
00000555: MSTORE
00000556: POP
00000557: DUP2
00000558: ADD
00000559: SWAP1
0000055a: PUSH2 0x0563
0000055d: SWAP2
0000055e: SWAP1
0000055f: PUSH2 0x0747
00000562: JUMP
00000563: JUMPDEST
00000564: DUP9
00000565: SWAP1
00000566: DUP6
00000567: PUSH2 0x0707
0000056a: JUMP
0000056b: JUMPDEST
0000056c: PUSH1 0x40
0000056e: MLOAD
0000056f: PUSH4 0x70a08231
00000574: PUSH1 0xe0
00000576: SHL
00000577: DUP2
00000578: MSTORE
00000579: ADDRESS
0000057a: PUSH1 0x04
0000057c: DUP3
0000057d: ADD
0000057e: MSTORE
0000057f: SWAP1
00000580: SWAP2
00000581: POP
00000582: PUSH1 0x00
00000584: SWAP1
00000585: PUSH2 0x05f0
00000588: SWAP1
00000589: PUSH20 0xa0b86991c6218b36c1d19d4a2e9eb0ce3606eb48
0000059e: SWAP1
0000059f: PUSH4 0x70a08231
000005a4: SWAP1
000005a5: PUSH1 0x24
000005a7: ADD
000005a8: PUSH1 0x20
000005aa: PUSH1 0x40
000005ac: MLOAD
000005ad: DUP1
000005ae: DUP4
000005af: SUB
000005b0: DUP2
000005b1: DUP7
000005b2: GAS
000005b3: STATICCALL
000005b4: ISZERO
000005b5: DUP1
000005b6: ISZERO
000005b7: PUSH2 0x05c4
000005ba: JUMPI
000005bb: RETURNDATASIZE
000005bc: PUSH1 0x00
000005be: DUP1
000005bf: RETURNDATACOPY
000005c0: RETURNDATASIZE
000005c1: PUSH1 0x00
000005c3: REVERT
000005c4: JUMPDEST
000005c5: POP
000005c6: POP
000005c7: POP
000005c8: POP
000005c9: PUSH1 0x40
000005cb: MLOAD
000005cc: RETURNDATASIZE
000005cd: PUSH1 0x1f
000005cf: NOT
000005d0: PUSH1 0x1f
000005d2: DUP3
000005d3: ADD
000005d4: AND
000005d5: DUP3
000005d6: ADD
000005d7: DUP1
000005d8: PUSH1 0x40
000005da: MSTORE
000005db: POP
000005dc: DUP2
000005dd: ADD
000005de: SWAP1
000005df: PUSH2 0x05e8
000005e2: SWAP2
000005e3: SWAP1
000005e4: PUSH2 0x0747
000005e7: JUMP
000005e8: JUMPDEST
000005e9: DUP10
000005ea: SWAP1
000005eb: DUP7
000005ec: PUSH2 0x0707
000005ef: JUMP
000005f0: JUMPDEST
000005f1: SWAP3
000005f2: SWAP9
000005f3: SWAP2
000005f4: SWAP8
000005f5: POP
000005f6: SWAP2
000005f7: SWAP6
000005f8: POP
000005f9: SWAP4
000005fa: POP
000005fb: POP
000005fc: POP
000005fd: POP
000005fe: JUMP
000005ff: JUMPDEST
00000600: PUSH1 0x00
00000602: PUSH1 0x40
00000604: MLOAD
00000605: PUSH4 0x23b872dd
0000060a: PUSH1 0xe0
0000060c: SHL
0000060d: DUP2
0000060e: MSTORE
0000060f: DUP5
00000610: PUSH1 0x04
00000612: DUP3
00000613: ADD
00000614: MSTORE
00000615: DUP4
00000616: PUSH1 0x24
00000618: DUP3
00000619: ADD
0000061a: MSTORE
0000061b: DUP3
0000061c: PUSH1 0x44
0000061e: DUP3
0000061f: ADD
00000620: MSTORE
00000621: PUSH1 0x20
00000623: PUSH1 0x00
00000625: PUSH1 0x64
00000627: DUP4
00000628: PUSH1 0x00
0000062a: DUP11
0000062b: GAS
0000062c: CALL
0000062d: RETURNDATASIZE
0000062e: ISZERO
0000062f: PUSH1 0x1f
00000631: RETURNDATASIZE
00000632: GT
00000633: PUSH1 0x01
00000635: PUSH1 0x00
00000637: MLOAD
00000638: EQ
00000639: AND
0000063a: OR
0000063b: AND
0000063c: SWAP2
0000063d: POP
0000063e: POP
0000063f: DUP1
00000640: PUSH2 0x0682
00000643: JUMPI
00000644: PUSH1 0x40
00000646: MLOAD
00000647: PUSH3 0x461bcd
0000064b: PUSH1 0xe5
0000064d: SHL
0000064e: DUP2
0000064f: MSTORE
00000650: PUSH1 0x20
00000652: PUSH1 0x04
00000654: DUP3
00000655: ADD
00000656: MSTORE
00000657: PUSH1 0x14
00000659: PUSH1 0x24
0000065b: DUP3
0000065c: ADD
0000065d: MSTORE
0000065e: PUSH20 0x1514905394d1915497d19493d357d19052531151
00000673: PUSH1 0x62
00000675: SHL
00000676: PUSH1 0x44
00000678: DUP3
00000679: ADD
0000067a: MSTORE
0000067b: PUSH1 0x64
0000067d: ADD
0000067e: PUSH2 0x019e
00000681: JUMP
00000682: JUMPDEST
00000683: POP
00000684: POP
00000685: POP
00000686: POP
00000687: POP
00000688: JUMP
00000689: JUMPDEST
0000068a: PUSH1 0x00
0000068c: PUSH1 0x40
0000068e: MLOAD
0000068f: PUSH4 0xa9059cbb
00000694: PUSH1 0xe0
00000696: SHL
00000697: DUP2
00000698: MSTORE
00000699: DUP4
0000069a: PUSH1 0x04
0000069c: DUP3
0000069d: ADD
0000069e: MSTORE
0000069f: DUP3
000006a0: PUSH1 0x24
000006a2: DUP3
000006a3: ADD
000006a4: MSTORE
000006a5: PUSH1 0x20
000006a7: PUSH1 0x00
000006a9: PUSH1 0x44
000006ab: DUP4
000006ac: PUSH1 0x00
000006ae: DUP10
000006af: GAS
000006b0: CALL
000006b1: RETURNDATASIZE
000006b2: ISZERO
000006b3: PUSH1 0x1f
000006b5: RETURNDATASIZE
000006b6: GT
000006b7: PUSH1 0x01
000006b9: PUSH1 0x00
000006bb: MLOAD
000006bc: EQ
000006bd: AND
000006be: OR
000006bf: AND
000006c0: SWAP2
000006c1: POP
000006c2: POP
000006c3: DUP1
000006c4: PUSH2 0x0701
000006c7: JUMPI
000006c8: PUSH1 0x40
000006ca: MLOAD
000006cb: PUSH3 0x461bcd
000006cf: PUSH1 0xe5
000006d1: SHL
000006d2: DUP2
000006d3: MSTORE
000006d4: PUSH1 0x20
000006d6: PUSH1 0x04
000006d8: DUP3
000006d9: ADD
000006da: MSTORE
000006db: PUSH1 0x0f
000006dd: PUSH1 0x24
000006df: DUP3
000006e0: ADD
000006e1: MSTORE
000006e2: PUSH15 0x1514905394d1915497d19052531151
000006f2: PUSH1 0x8a
000006f4: SHL
000006f5: PUSH1 0x44
000006f7: DUP3
000006f8: ADD
000006f9: MSTORE
000006fa: PUSH1 0x64
000006fc: ADD
000006fd: PUSH2 0x019e
00000700: JUMP
00000701: JUMPDEST
00000702: POP
00000703: POP
00000704: POP
00000705: POP
00000706: JUMP
00000707: JUMPDEST
00000708: PUSH1 0x00
0000070a: DUP3
0000070b: PUSH1 0x00
0000070d: NOT
0000070e: DIV
0000070f: DUP5
00000710: GT
00000711: DUP4
00000712: MUL
00000713: ISZERO
00000714: DUP3
00000715: MUL
00000716: PUSH2 0x071e
00000719: JUMPI
0000071a: PUSH1 0x00
0000071c: DUP1
0000071d: REVERT
0000071e: JUMPDEST
0000071f: POP
00000720: SWAP2
00000721: MUL
00000722: DIV
00000723: SWAP1
00000724: JUMP
00000725: JUMPDEST
00000726: PUSH1 0x00
00000728: DUP1
00000729: PUSH1 0x40
0000072b: DUP4
0000072c: DUP6
0000072d: SUB
0000072e: SLT
0000072f: ISZERO
00000730: PUSH2 0x0738
00000733: JUMPI
00000734: PUSH1 0x00
00000736: DUP1
00000737: REVERT
00000738: JUMPDEST
00000739: POP
0000073a: POP
0000073b: DUP1
0000073c: CALLDATALOAD
0000073d: SWAP3
0000073e: PUSH1 0x20
00000740: SWAP1
00000741: SWAP2
00000742: ADD
00000743: CALLDATALOAD
00000744: SWAP2
00000745: POP
00000746: JUMP
00000747: JUMPDEST
00000748: PUSH1 0x00
0000074a: PUSH1 0x20
0000074c: DUP3
0000074d: DUP5
0000074e: SUB
0000074f: SLT
00000750: ISZERO
00000751: PUSH2 0x0759
00000754: JUMPI
00000755: PUSH1 0x00
00000757: DUP1
00000758: REVERT
00000759: JUMPDEST
0000075a: POP
0000075b: MLOAD
0000075c: SWAP2
0000075d: SWAP1
0000075e: POP
0000075f: JUMP
00000760: JUMPDEST
00000761: DUP2
00000762: DUP2
00000763: SUB
00000764: DUP2
00000765: DUP2
00000766: GT
00000767: ISZERO
00000768: PUSH2 0x0781
0000076b: JUMPI
0000076c: PUSH4 0x4e487b71
00000771: PUSH1 0xe0
00000773: SHL
00000774: PUSH1 0x00
00000776: MSTORE
00000777: PUSH1 0x11
00000779: PUSH1 0x04
0000077b: MSTORE
0000077c: PUSH1 0x24
0000077e: PUSH1 0x00
00000780: REVERT
00000781: JUMPDEST
00000782: SWAP3
00000783: SWAP2
00000784: POP
00000785: POP
00000786: JUMP
00000787: INVALID
00000788: LOG2
00000789: PUSH5 0x6970667358
0000078f: UNKNOWN(0x22)
00000790: SLT
00000791: KECCAK256
00000792: UNKNOWN(0xE5)
00000793: UNKNOWN(0xDC)
00000794: SELFBALANCE
00000795: JUMPDEST
00000796: ORIGIN
00000797: STATICCALL
00000798: PUSH8 0x0fcc43459a6ecdb3
000007a1: SWAP14
000007a2: UNKNOWN(0xA8)
000007a3: UNKNOWN(0x0E)
000007a4: LOG0
000007a5: BLOBBASEFEE
000007a6: UNKNOWN(0xDC)
000007a7: UNKNOWN(0x22)
000007a8: UNKNOWN(0xCD)
000007a9: UNKNOWN(0xEC)
000007aa: PUSH16 0x010e6574bc958464736f6c6343000812
000007bb: STOP
000007bc: CALLER

Findings

validated = confirmed for call sinks; sink observed for others
Severity Category Tool Title Confidence Validated Confirmed Details
high auth detector Authorization based on tx.origin 70 no
view
validation_json 
{
    "reason": "missing sink mapping",
    "status": "no_sink"
}
witness_json 
{
    "notes": "heuristic witness; entrypoints are best-effort selectors with zeroed calldata",
    "constraints": [],
    "entrypoints": [
        {
            "calldata": "0x34981905",
            "selector": "0x34981905",
            "calldata_variants": [
                "0x34981905",
                "0x349819050000000000000000000000000000000000000000000000000000000000000000"
            ]
        },
        {
            "calldata": "0x6dcb9d01",
            "selector": "0x6dcb9d01",
            "calldata_variants": [
                "0x6dcb9d01",
                "0x6dcb9d010000000000000000000000000000000000000000000000000000000000000000"
            ]
        },
        {
            "calldata": "0x8277908b",
            "selector": "0x8277908b",
            "calldata_variants": [
                "0x8277908b",
                "0x8277908b0000000000000000000000000000000000000000000000000000000000000000"
            ]
        },
        {
            "calldata": "0x89a30271",
            "selector": "0x89a30271",
            "calldata_variants": [
                "0x89a30271",
                "0x89a302710000000000000000000000000000000000000000000000000000000000000000"
            ]
        },
        {
            "calldata": "0xad5c4648",
            "selector": "0xad5c4648",
            "calldata_variants": [
                "0xad5c4648",
                "0xad5c46480000000000000000000000000000000000000000000000000000000000000000"
            ]
        },
        {
            "calldata": "0xe0bab4c4",
            "selector": "0xe0bab4c4",
            "calldata_variants": [
                "0xe0bab4c4",
                "0xe0bab4c40000000000000000000000000000000000000000000000000000000000000000"
            ]
        }
    ]
}
evidence_json 
{
    "guards_detected": [
        {
            "pc": 1942,
            "type": "tx_origin_used"
        }
    ]
}
medium other detector Untrusted CALL target/value reachable 45 no no
view
trace_id: 0xd0cf5380b915209c80c9f8b169bf8350c2caa8ddc342fdf9a321ce6700cb0bd7
call_targets: 0xc52b9ae03d971954701b07090c57d993edcfbe79
target_varies: no
classification: constant_target
validation_json 
{
    "sink": "CALL",
    "errors": 0,
    "status": "sink_reached",
    "attempts": 1,
    "trace_id": "0xd0cf5380b915209c80c9f8b169bf8350c2caa8ddc342fdf9a321ce6700cb0bd7",
    "confirmed": false,
    "trace_mode": "callTracer",
    "call_targets": [
        "0xc52b9ae03d971954701b07090c57d993edcfbe79"
    ],
    "matched_probe": null,
    "target_varies": false,
    "classification": "constant_target"
}
witness_json 
{
    "notes": "heuristic witness; entrypoints are best-effort selectors with zeroed calldata",
    "constraints": [],
    "entrypoints": [
        {
            "calldata": "0x34981905",
            "selector": "0x34981905",
            "calldata_variants": [
                "0x34981905",
                "0x349819050000000000000000000000000000000000000000000000000000000000000000"
            ]
        },
        {
            "calldata": "0x6dcb9d01",
            "selector": "0x6dcb9d01",
            "calldata_variants": [
                "0x6dcb9d01",
                "0x6dcb9d010000000000000000000000000000000000000000000000000000000000000000"
            ]
        },
        {
            "calldata": "0x8277908b",
            "selector": "0x8277908b",
            "calldata_variants": [
                "0x8277908b",
                "0x8277908b0000000000000000000000000000000000000000000000000000000000000000"
            ]
        },
        {
            "calldata": "0x89a30271",
            "selector": "0x89a30271",
            "calldata_variants": [
                "0x89a30271",
                "0x89a302710000000000000000000000000000000000000000000000000000000000000000"
            ]
        },
        {
            "calldata": "0xad5c4648",
            "selector": "0xad5c4648",
            "calldata_variants": [
                "0xad5c4648",
                "0xad5c46480000000000000000000000000000000000000000000000000000000000000000"
            ]
        },
        {
            "calldata": "0xe0bab4c4",
            "selector": "0xe0bab4c4",
            "calldata_variants": [
                "0xe0bab4c4",
                "0xe0bab4c40000000000000000000000000000000000000000000000000000000000000000"
            ]
        }
    ]
}
evidence_json 
{
    "examples": [
        {
            "pc": 1580,
            "opcode": "CALL",
            "returndata_checked": null,
            "value_expression_category": "computed",
            "target_expression_category": "computed"
        },
        {
            "pc": 1712,
            "opcode": "CALL",
            "returndata_checked": null,
            "value_expression_category": "computed",
            "target_expression_category": "computed"
        }
    ],
    "call_count": 2,
    "guards_detected": [
        {
            "pc": 1942,
            "type": "tx_origin_used"
        }
    ],
    "untrusted_call_count": 2
}
medium other detector ETH value transfer possible 40 no no
view
trace_id: 0xd0cf5380b915209c80c9f8b169bf8350c2caa8ddc342fdf9a321ce6700cb0bd7
call_targets: 0xc52b9ae03d971954701b07090c57d993edcfbe79
target_varies: no
classification: constant_target
validation_json 
{
    "sink": "CALL",
    "errors": 0,
    "status": "sink_reached",
    "attempts": 1,
    "trace_id": "0xd0cf5380b915209c80c9f8b169bf8350c2caa8ddc342fdf9a321ce6700cb0bd7",
    "confirmed": false,
    "trace_mode": "callTracer",
    "call_targets": [
        "0xc52b9ae03d971954701b07090c57d993edcfbe79"
    ],
    "matched_probe": null,
    "target_varies": false,
    "classification": "constant_target"
}
witness_json 
{
    "notes": "heuristic witness; entrypoints are best-effort selectors with zeroed calldata",
    "constraints": [],
    "entrypoints": [
        {
            "calldata": "0x34981905",
            "selector": "0x34981905",
            "calldata_variants": [
                "0x34981905",
                "0x349819050000000000000000000000000000000000000000000000000000000000000000"
            ]
        },
        {
            "calldata": "0x6dcb9d01",
            "selector": "0x6dcb9d01",
            "calldata_variants": [
                "0x6dcb9d01",
                "0x6dcb9d010000000000000000000000000000000000000000000000000000000000000000"
            ]
        },
        {
            "calldata": "0x8277908b",
            "selector": "0x8277908b",
            "calldata_variants": [
                "0x8277908b",
                "0x8277908b0000000000000000000000000000000000000000000000000000000000000000"
            ]
        },
        {
            "calldata": "0x89a30271",
            "selector": "0x89a30271",
            "calldata_variants": [
                "0x89a30271",
                "0x89a302710000000000000000000000000000000000000000000000000000000000000000"
            ]
        },
        {
            "calldata": "0xad5c4648",
            "selector": "0xad5c4648",
            "calldata_variants": [
                "0xad5c4648",
                "0xad5c46480000000000000000000000000000000000000000000000000000000000000000"
            ]
        },
        {
            "calldata": "0xe0bab4c4",
            "selector": "0xe0bab4c4",
            "calldata_variants": [
                "0xe0bab4c4",
                "0xe0bab4c40000000000000000000000000000000000000000000000000000000000000000"
            ]
        }
    ]
}
evidence_json 
{
    "examples": [
        {
            "pc": 1580,
            "opcode": "CALL",
            "returndata_checked": null,
            "value_expression_category": "computed",
            "target_expression_category": "computed"
        },
        {
            "pc": 1712,
            "opcode": "CALL",
            "returndata_checked": null,
            "value_expression_category": "computed",
            "target_expression_category": "computed"
        }
    ],
    "eth_value_calls": 2,
    "guards_detected": [
        {
            "pc": 1942,
            "type": "tx_origin_used"
        }
    ]
}