TW
Tripwire
Find contracts. Test them. Review real vulns.

Analysis Run

bfe94f78-40cb-46ca-a933-1f0f4110b835

complete
Chain ID
1
Address
0x8a909adc6c299cc4a206e730b15d2b97b0fbf0bd
Block Number
Created
Fri, Jan 2, 2026 11:05 PM
Review Summary

What survived the funnel

Open this run to answer one question: is this real attacker-relevant behavior with real impact, or just normal contract plumbing?

back to vulns open contract
Confirmed
0
Validated
0
Source
Bytecode only
Review Backing
Not yet
Best current signal
Untrusted CALL target/value reachable
crit 0 high 0 direct contract
Review Checklist
1. Read the findings table first. Ignore raw jobs until the result looks real.
2. Confirm attacker control, not just the existence of a sink.
3. Confirm money or privilege impact.
4. Keep it if the behavior is real. Kill it if this is normal proxy, admin, or upgrade plumbing.

Processing Jobs

Status & attempts
ID Type Status Attempts Heartbeat
31376 report.consolidate complete 1 / 1 3 months ago
111254 artifact.fetch complete 1 / 3 1 week ago
111255 tool.cast_disasm complete 1 / 3 1 week ago
111256 analysis.bundle complete 1 / 3 1 week ago
111257 capability.graph complete 1 / 3 1 week ago
111258 detector.run complete 1 / 3 1 week ago
111259 validation.fork complete 1 / 3 1 week ago

Artifact

Runtime bytecode: available
Creation TX:
Deployer:
Proxy: no
Implementation:
Verified Source: no

Slither

tool.slither

No slither job recorded yet.

Codex

report.consolidate
Job Status
complete
Attempts
1 / 1
Findings
0
No findings?
yes
Summary
No concrete, exploitable value-extraction path found in the provided runtime bytecode; ETH transfer is gated by a stored authorized address and the only setter is owner-restricted and one-time.
View stderr 
[codex:428596] OpenAI Codex v0.77.0 (research preview)
[codex:428596] --------
[codex:428596] workdir: /tmp/codex-multi-_mvcnu52
[codex:428596] model: gpt-5.2-codex
[codex:428596] provider: openai
[codex:428596] approval: never
[codex:428596] sandbox: read-only
[codex:428596] reasoning effort: xhigh
[codex:428596] reasoning summaries: auto
[codex:428596] session id: 019b80ef-bb35-7f90-b3f2-4b8afe373818
[codex:428596] --------
[codex:428596] user
[codex:428596] You are a profit-focused exploit hunter analyzing EVM bytecode. Your ONLY goal is finding ways to extract value (ETH, tokens, NFTs) from this contract.
[codex:428596] 
[codex:428596] Read `BYTECODE_BUNDLE.txt` completely before concluding.
[codex:428596] 
[codex:428596] ONLY REPORT if you find a CONCRETE, EXPLOITABLE path to profit. We do NOT care about:
[codex:428596] - Gas inefficiency, code quality, or best practices
[codex:428596] - Theoretical vulnerabilities without a clear extraction path
[codex:428596] - Generic footguns (unchecked return values, etc.) unless they enable theft
[codex:428596] - Issues requiring social engineering or off-chain coordination
[codex:428596] 
[codex:428596] PATTERNS WORTH INVESTIGATING in bytecode:
[codex:428596] - CALL/DELEGATECALL with controllable destination or calldata
[codex:428596] - Value transfers (CALL with non-zero value) without prior CALLER/ORIGIN checks
[codex:428596] - SSTORE to low slots (0-10) that might be owner/admin storage
[codex:428596] - ecrecover (signature validation) - look for missing nonce/replay protection
[codex:428596] - External calls before state updates (reentrancy)
[codex:428596] - SELFDESTRUCT with controllable beneficiary
[codex:428596] - Proxy patterns (DELEGATECALL to storage slot) with unprotected upgrade paths
[codex:428596] 
[codex:428596] For each finding, you MUST explain:
[codex:428596] 1. The specific bytecode pattern/offsets that indicate the vulnerability
[codex:428596] 2. The concrete sequence of transactions to extract value
[codex:428596] 3. Why you believe this is exploitable (not just suspicious)
[codex:428596] 
[codex:428596] If you cannot identify a concrete profit path from bytecode alone: set no_findings=true.
[codex:428596] Do NOT hallucinate. Bytecode-only analysis is limited - be honest about uncertainty.
[codex:428596] 
[codex:428596] Output MUST be valid JSON matching the provided schema.
[codex:428596] - severity: info, low, medium, high, critical (use high/critical ONLY for clear extraction paths)
[codex:428596] - category: access_control, reentrancy, math, oracle, upgradeability, auth, other
[codex:428596] mcp startup: no servers
[codex:428596] 
[codex:428596] thinking
[codex:428596] **Preparing to read BYTECODE_BUNDLE.txt**
[codex:428596] exec
[codex:428596] /bin/bash -lc ls in /tmp/codex-multi-_mvcnu52 succeeded in 6ms:
[codex:428596] BYTECODE_BUNDLE.txt
[codex:428596] codex-output-schema.json
[codex:428596] 
[codex:428596] thinking
[codex:428596] **Reading file**
[codex:428596] exec
[codex:428596] /bin/bash -lc 'cat BYTECODE_BUNDLE.txt' in /tmp/codex-multi-_mvcnu52 succeeded in 5ms:
[codex:428596] Runtime bytecode bundle for best-effort auditing.
[codex:428596] Note: without verified source, conclusions are low-confidence unless a concrete pattern is visible.
[codex:428596] 
[codex:428596] FILE: runtime_bytecode.hex
[codex:428596] 0x6080604052600436106100295760003560e01c806381bac14f1461002b578063b7760c8f14610072575b005b34801561003757600080fd5b5061005e6004803603602081101561004e57600080fd5b50356001600160a01b031661009e565b604080519115158252519081900360200190f35b61005e6004803603604081101561008857600080fd5b50803590602001356001600160a01b0316610168565b600080546001600160a01b031633146100f5576040805162461bcd60e51b81526020600482015260146024820152732fb7bbb732b910109e9036b9b39739b2b73232b960611b604482015290519081900360640190fd5b6001546001600160a01b031615610144576040805162461bcd60e51b815260206004820152600e60248201526d17dc9bdbdd081b9bdd081b9d5b1b60921b604482015290519081900360640190fd5b600180546001600160a01b0319166001600160a01b03939093169290921790915590565b6001546000906001600160a01b031633146101ca576040805162461bcd60e51b815260206004820152601f60248201527f6d73672e73656e64657220213d205f7265736f6e617465436f6e747261637400604482015290519081900360640190fd5b6040516001600160a01b0383169084156108fc029085906000818181858888f19350505050158015610200573d6000803e3d6000fd5b506001939250505056fea265627a7a72315820aec9d8d1e64d679b97a59f4996c5e3fb412fb57c249c1dc69c4b6262fef7406664736f6c634300050c0032
[codex:428596] 
[codex:428596] thinking
[codex:428596] **Analyzing bytecode structure and functions**
[codex:428596] 
[codex:428596] I'll carefully parse the contract bytecode to identify its key functions, parameters, storage access, and access control patterns, piecing together owner checks, address parameters, and possible ETH forwarding calls to understand its behavior and potential vulnerabilities.
[codex:428596] exec
[codex:428596] /bin/bash -lc "PYTHONDONTWRITEBYTECODE=1 python - <<'PY'
[codex:428596] from binascii import unhexlify
[codex:428596] code=open('BYTECODE_BUNDLE.txt').read().split('0x',1)[1].splitlines()[0].strip()
[codex:428596] # get runtime hex string after FILE: runtime_bytecode.hex line
[codex:428596] # Actually file contains 0x... on same line
[codex:428596] hexstr=code
[codex:428596] # remove possible prefix
[codex:428596] if hexstr.startswith('0x'): hexstr=hexstr[2:]
[codex:428596] # But we used split on '0x' above wrong; fix
[codex:428596] PY" in /tmp/codex-multi-_mvcnu52 succeeded in 17ms:
[codex:428596] 
[codex:428596] 
[codex:428596] thinking
[codex:428596] **Opening file to parse hex lines**
[codex:428596] exec
[codex:428596] /bin/bash -lc "PYTHONDONTWRITEBYTECODE=1 python - <<'PY'
[codex:428596] import re
[codex:428596] text=open('BYTECODE_BUNDLE.txt').read().splitlines()
[codex:428596] hexline=None
[codex:428596] for line in text:
[codex:428596]     if line.strip().startswith('0x'):
[codex:428596]         hexline=line.strip()
[codex:428596]         break
[codex:428596] assert hexline
[codex:428596] hexstr=hexline[2:]
[codex:428596] print('len',len(hexstr)//2)
[codex:428596] # simple disassembler
[codex:428596] opcodes = {
[codex:428596]     0x00:'STOP',0x01:'ADD',0x02:'MUL',0x03:'SUB',0x04:'DIV',0x05:'SDIV',0x06:'MOD',0x07:'SMOD',0x08:'ADDMOD',0x09:'MULMOD',0x0a:'EXP',0x0b:'SIGNEXTEND',
[codex:428596]     0x10:'LT',0x11:'GT',0x12:'SLT',0x13:'SGT',0x14:'EQ',0x15:'ISZERO',0x16:'AND',0x17:'OR',0x18:'XOR',0x19:'NOT',0x1a:'BYTE',0x1b:'SHL',0x1c:'SHR',0x1d:'SAR',
[codex:428596]     0x20:'SHA3',
[codex:428596]     0x30:'ADDRESS',0x31:'BALANCE',0x32:'ORIGIN',0x33:'CALLER',0x34:'CALLVALUE',0x35:'CALLDATALOAD',0x36:'CALLDATASIZE',0x37:'CALLDATACOPY',0x38:'CODESIZE',0x39:'CODECOPY',0x3a:'GASPRICE',0x3b:'EXTCODESIZE',0x3c:'EXTCODECOPY',0x3d:'RETURNDATASIZE',0x3e:'RETURNDATACOPY',0x3f:'EXTCODEHASH',
[codex:428596]     0x40:'BLOCKHASH',0x41:'COINBASE',0x42:'TIMESTAMP',0x43:'NUMBER',0x44:'DIFFICULTY',0x45:'GASLIMIT',0x46:'CHAINID',0x47:'SELFBALANCE',0x48:'BASEFEE',
[codex:428596]     0x50:'POP',0x51:'MLOAD',0x52:'MSTORE',0x53:'MSTORE8',0x54:'SLOAD',0x55:'SSTORE',0x56:'JUMP',0x57:'JUMPI',0x58:'PC',0x59:'MSIZE',0x5a:'GAS',0x5b:'JUMPDEST',
[codex:428596]     0xf0:'CREATE',0xf1:'CALL',0xf2:'CALLCODE',0xf3:'RETURN',0xf4:'DELEGATECALL',0xf5:'CREATE2',0xfa:'STATICCALL',0xfd:'REVERT',0xfe:'INVALID',0xff:'SELFDESTRUCT'
[codex:428596] }
[codex:428596] # add dup/swap/log
[codex:428596] for i in range(1,17): opcodes[0x7f+i]=f'DUP{i}'
[codex:428596] for i in range(1,17): opcodes[0x8f+i]=f'SWAP{i}'
[codex:428596] for i in range(0,5): opcodes[0xa0+i]=f'LOG{i}'
[codex:428596] 
[codex:428596] i=0
[codex:428596] b=bytes.fromhex(hexstr)
[codex:428596] while i<len(b):
[codex:428596]     op=b[i]
[codex:428596]     if 0x60<=op<=0x7f:
[codex:428596]         n=op-0x5f
[codex:428596]         data=b[i+1:i+1+n]
[codex:428596]         print(f'{i:04x}: PUSH{n} 0x{data.hex()}')
[codex:428596]         i+=1+n
[codex:428596]         continue
[codex:428596]     name=opcodes.get(op, f'UNKNOWN_{op:02x}')
[codex:428596]     print(f'{i:04x}: {name}')
[codex:428596]     i+=1
[codex:428596] PY" in /tmp/codex-multi-_mvcnu52 succeeded in 24ms:
[codex:428596] len 575
[codex:428596] 0000: PUSH1 0x80
[codex:428596] 0002: PUSH1 0x40
[codex:428596] 0004: MSTORE
[codex:428596] 0005: PUSH1 0x04
[codex:428596] 0007: CALLDATASIZE
[codex:428596] 0008: LT
[codex:428596] 0009: PUSH2 0x0029
[codex:428596] 000c: JUMPI
[codex:428596] 000d: PUSH1 0x00
[codex:428596] 000f: CALLDATALOAD
[codex:428596] 0010: PUSH1 0xe0
[codex:428596] 0012: SHR
[codex:428596] 0013: DUP1
[codex:428596] 0014: PUSH4 0x81bac14f
[codex:428596] 0019: EQ
[codex:428596] 001a: PUSH2 0x002b
[codex:428596] 001d: JUMPI
[codex:428596] 001e: DUP1
[codex:428596] 001f: PUSH4 0xb7760c8f
[codex:428596] 
[codex:428596] 
[codex:428596] thinking
[codex:428596] **Analyzing internal call parameters and gas logic**
[codex:428596] thinking
[codex:428596] **Preparing symbolic stack simulation**
[codex:428596] exec
[codex:428596] /bin/bash -lc "PYTHONDONTWRITEBYTECODE=1 python - <<'PY'
[codex:428596] # simple symbolic to track stack names
[codex:428596] data=open('BYTECODE_BUNDLE.txt').read().split('0x',1)[1].splitlines()[0].strip()
[codex:428596] hexstr=data
[codex:428596] b=bytes.fromhex(hexstr)
[codex:428596] # map opcodes to names and push length
[codex:428596] opnames={0x50:'POP',0x51:'MLOAD',0x52:'MSTORE',0x53:'MSTORE8',0x54:'SLOAD',0x55:'SSTORE',0x56:'JUMP',0x57:'JUMPI',0x5b:'JUMPDEST',0x33:'CALLER',0x14:'EQ',0x15:'ISZERO',0x16:'AND',0x17:'OR',0x1b:'SHL',0x03:'SUB',0x01:'ADD',0x02:'MUL',0xf1:'CALL',0x90:'SWAP1'}
[codex:428596] for i in range(2,17): opnames[0x8f+i]=f'SWAP{i}'
[codex:428596] for i in range(1,17): opnames[0x7f+i]=f'DUP{i}'
[codex:428596] # Precompute instructions list with pc
[codex:428596] insts=[]
[codex:428596] i=0
[codex:428596] while i<len(b):
[codex:428596]     op=b[i]
[codex:428596]     if 0x60<=op<=0x7f:
[codex:428596]         n=op-0x5f
[codex:428596]         data=b[i+1:i+1+n]
[codex:428596]         insts.append((i,f'PUSH{n}',int.from_bytes(data,'big')))
[codex:428596]         i+=1+n
[codex:428596]     else:
[codex:428596]         insts.append((i,opnames.get(op,f'OP_{op:02x}'),None))
[codex:428596]         i+=1
[codex:428596] 
[codex:428596] # build mapping pc->index
[codex:428596] pc_index={pc:idx for idx,(pc,_,_) in enumerate(insts)}
[codex:428596] 
[codex:428596] start=0x0168
[codex:428596] end=0x01ea
[codex:428596] # init stack
[codex:428596] stack=['addr','value','ret']  # top first
[codex:428596] 
[codex:428596] for idx in range(pc_index[start], pc_index[end]+1):
[codex:428596]     pc,op,arg=insts[idx]
[codex:428596]     if op=='JUMPDEST':
[codex:428596]         print(f'{pc:04x}: JUMPDEST stack={stack}')
[codex:428596]         continue
[codex:428596]     if op.startswith('PUSH'):
[codex:428596]         stack.insert(0, f'{arg:#x}')
[codex:428596]     elif op.startswith('DUP'):
[codex:428596]         n=int(op[3:])
[codex:428596]         stack.insert(0, stack[n-1])
[codex:428596]     elif op.startswith('SWAP'):
[codex:428596]         n=int(op[4:])
[codex:428596]         stack[0], stack[n]= stack[n], stack[0]
[codex:428596]     elif op=='POP':
[codex:428596]         stack.pop(0)
[codex:428596]     elif op in ('SLOAD','MLOAD','CALLER'):
[codex:428596]         if op=='SLOAD':
[codex:428596]             stack[0]=f'sload({stack[0]})'
[codex:428596]         elif op=='MLOAD':
[codex:428596]             stack[0]=f'mload({stack[0]})'
[codex:428596]         elif op=='CALLER':
[codex:428596]             stack.insert(0,'caller')
[codex:428596]     elif op=='AND':
[codex:428596]         a=stack.pop(0); b1=stack.pop(0)
[codex:428596]         stack.insert(0,f'({a}&{b1})')
[codex:428596]     elif op=='OR':
[codex:428596]         a=stack.pop(0); b1=stack.pop(0)
[codex:428596]         stack.insert(0,f'({a}|{b1})')
[codex:428596]     elif op=='SHL':
[codex:428596]         a=stack.pop(0); b1=stack.pop(0)
[codex:428596]         stack.insert(0,f'({b1}<<{a})')
[codex:428596]     elif op=='SUB':
[codex:428596]         a=stack.pop(0); b1=stack.pop(0)
[codex:428596]         stack.insert(0,f'({b1}-{a})')
[codex:428596]     elif op=='ADD':
[codex:428596]         a=stack.pop(0); b1=stack.pop(0)
[codex:428596]         stack.insert(0,f'({b1}+{a})')
[codex:428596]     elif op=='MUL':
[codex:428596]         a=stack.pop(0); b1=stack.pop(0)
[codex:428596]         stack.insert(0,f'({b1}*{a})')
[codex:428596]     elif op=='EQ':
[codex:428596]         a=stack.pop(0); b1=stack.pop(0)
[codex:428596]         stack.insert(0,f'({b1}=={a})')
[codex:428596]     elif op=='ISZERO':
[codex:428596]         a=stack.pop(0)
[codex:428596]         stack.insert(0,f'iszero({a})')
[codex:428596]     elif op=='CALL':
[codex:428596]         # print top 7 args
[codex:428596]         args=stack[:7]
[codex:428596]         print(f'{pc:04x}: CALL args(top7)={args}')
[codex:428596]         # simulate pop 7 and push result
[codex:428596]         for _ in range(7): stack.pop(0)
[codex:428596]         stack.insert(0,'call_result')
[codex:428596]     elif op in ('JUMP','JUMPI'):
[codex:428596]         pass
[codex:428596]     else:
[codex:428596]         # other ops
[codex:428596]         pass
[codex:428596]     if pc in (0x0169,0x01ca,0x01df,0x01ea):
[codex:428596]         print(f'{pc:04x}: {op} stack={stack}')
[codex:428596] 
[codex:428596] PY" in /tmp/codex-multi-_mvcnu52 succeeded in 19ms:
[codex:428596] 0168: JUMPDEST stack=['addr', 'value', 'ret']
[codex:428596] 0169: PUSH1 stack=['0x1', 'addr', 'value', 'ret']
[codex:428596] 01ca: JUMPDEST stack=['mload(0x6d73672e73656e64657220213d205f7265736f6e617465436f6e747261637400)', '((mload(0x6d73672e73656e64657220213d205f7265736f6e617465436f6e747261637400)-(0x44+(0x24+(0x4+mload(0x40)))))+0x64)', '(0x24+(0x4+mload(0x40)))', '0x1f', '(0x4+mload(0x40))', '0x20', 'mload(0x40)', '(0x461bcd<<0xe5)', 'mload(0x40)', '0x40', '0x1ca', '(((0x1-(0x1<<0xa0))&sload(0x1))==caller)', '0x0', 'addr', 'value', 'ret']
[codex:428596] 01df: SWAP1 stack=['mload(0x40)', '(iszero((0x24+(0x4+mload(0x40))))*0x8fc)', '(((mload(0x6d73672e73656e64657220213d205f7265736f6e617465436f6e747261637400)-(0x44+(0x24+(0x4+mload(0x40)))))+0x64)&(0x1-(0x1<<0xa0)))', 'mload(0x6d73672e73656e64657220213d205f7265736f6e617465436f6e747261637400)', '((mload(0x6d73672e73656e64657220213d205f7265736f6e617465436f6e747261637400)-(0x44+(0x24+(0x4+mload(0x40)))))+0x64)', '(0x24+(0x4+mload(0x40)))', '0x1f', '(0x4+mload(0x40))', '0x20', 'mload(0x40)', '(0x461bcd<<0xe5)', 'mload(0x40)', '0x40', '0x1ca', '(((0x1-(0x1<<0xa0))&sload(0x1))==caller)', '0x0', 'addr', 'value', 'ret']
[codex:428596] 01ea: CALL args(top7)=['(iszero((0x24+(0x4+mload(0x40))))*0x8fc)', '(((mload(0x6d73672e73656e64657220213d205f7265736f6e617465436f6e747261637400)-(0x44+(0x24+(0x4+mload(0x40)))))+0x64)&(0x1-(0x1<<0xa0)))', '(0x24+(0x4+mload(0x40)))', 'mload(0x40)', '0x0', 'mload(0x40)', '0x0']
[codex:428596] 01ea: CALL stack=['call_result', 'mload(0x40)', '(0x24+(0x4+mload(0x40)))', '(iszero((0x24+(0x4+mload(0x40))))*0x8fc)', '(((mload(0x6d73672e73656e64657220213d205f7265736f6e617465436f6e747261637400)-(0x44+(0x24+(0x4+mload(0x40)))))+0x64)&(0x1-(0x1<<0xa0)))', 'mload(0x6d73672e73656e64657220213d205f7265736f6e617465436f6e747261637400)', '((mload(0x6d73672e73656e64657220213d205f7265736f6e617465436f6e747261637400)-(0x44+(0x24+(0x4+mload(0x40)))))+0x64)', '(0x24+(0x4+mload(0x40)))', '0x1f', '(0x4+mload(0x40))', '0x20', 'mload(0x40)', '(0x461bcd<<0xe5)', 'mload(0x40)', '0x40', '0x1ca', '(((0x1-(0x1<<0xa0))&sload(0x1))==caller)', '0x0', 'addr', 'value', 'ret']
[codex:428596] 
[codex:428596] thinking
[codex:428596] **Reevaluating symbolic execution approach**
[codex:428596] 
[codex:428596] The symbolic run went off track because I didn’t properly model the JUMPI branch at 0x017d, causing the script to continue into the revert path unintentionally with a bloated stack. I think it’s best to redo the symbolic analysis manually along the intended “happy path” where msg.sender equals slot1. To do this properly, I’ll build a simple interpreter that follows the correct branch at JUMPI and avoids the revert path, letting me step through and verify the stack state accurately.
[codex:428596] exec
[codex:428596] /bin/bash -lc "PYTHONDONTWRITEBYTECODE=1 python - <<'PY'
[codex:428596] from dataclasses import dataclass
[codex:428596] 
[codex:428596] # load bytecode
[codex:428596] text=open('BYTECODE_BUNDLE.txt').read().splitlines()
[codex:428596] hexline=None
[codex:428596] for line in text:
[codex:428596]     if line.strip().startswith('0x'):
[codex:428596]         hexline=line.strip()
[codex:428596]         break
[codex:428596] hexstr=hexline[2:]
[codex:428596] b=bytes.fromhex(hexstr)
[codex:428596] 
[codex:428596] # decode into list
[codex:428596] opnames={0x00:'STOP',0x01:'ADD',0x02:'MUL',0x03:'SUB',0x04:'DIV',0x05:'SDIV',0x06:'MOD',0x07:'SMOD',0x08:'ADDMOD',0x09:'MULMOD',0x0a:'EXP',0x0b:'SIGNEXTEND',
[codex:428596]     0x10:'LT',0x11:'GT',0x12:'SLT',0x13:'SGT',0x14:'EQ',0x15:'ISZERO',0x16:'AND',0x17:'OR',0x18:'XOR',0x19:'NOT',0x1a:'BYTE',0x1b:'SHL',0x1c:'SHR',0x1d:'SAR',
[codex:428596]     0x20:'SHA3',
[codex:428596]     0x30:'ADDRESS',0x31:'BALANCE',0x32:'ORIGIN',0x33:'CALLER',0x34:'CALLVALUE',0x35:'CALLDATALOAD',0x36:'CALLDATASIZE',0x37:'CALLDATACOPY',0x38:'CODESIZE',0x39:'CODECOPY',0x3a:'GASPRICE',0x3b:'EXTCODESIZE',0x3c:'EXTCODECOPY',0x3d:'RETURNDATASIZE',0x3e:'RETURNDATACOPY',0x3f:'EXTCODEHASH',
[codex:428596]     0x40:'BLOCKHASH',0x41:'COINBASE',0x42:'TIMESTAMP',0x43:'NUMBER',0x44:'DIFFICULTY',0x45:'GASLIMIT',0x46:'CHAINID',0x47:'SELFBALANCE',0x48:'BASEFEE',
[codex:428596]     0x50:'POP',0x51:'MLOAD',0x52:'MSTORE',0x53:'MSTORE8',0x54:'SLOAD',0x55:'SSTORE',0x56:'JUMP',0x57:'JUMPI',0x58:'PC',0x59:'MSIZE',0x5a:'GAS',0x5b:'JUMPDEST',
[codex:428596]     0xf0:'CREATE',0xf1:'CALL',0xf2:'CALLCODE',0xf3:'RETURN',0xf4:'DELEGATECALL',0xf5:'CREATE2',0xfa:'STATICCALL',0xfd:'REVERT',0xfe:'INVALID',0xff:'SELFDESTRUCT'
[codex:428596] }
[codex:428596] for i in range(1,17): opnames[0x7f+i]=f'DUP{i}'
[codex:428596] for i in range(1,17): opnames[0x8f+i]=f'SWAP{i}'
[codex:428596] 
[codex:428596] insts=[]
[codex:428596] i=0
[codex:428596] while i<len(b):
[codex:428596]     op=b[i]
[codex:428596]     if 0x60<=op<=0x7f:
[codex:428596]         n=op-0x5f
[codex:428596]         data=int.from_bytes(b[i+1:i+1+n],'big')
[codex:428596]         insts.append((i,f'PUSH{n}',data))
[codex:428596]         i+=1+n
[codex:428596]     else:
[codex:428596]         insts.append((i,opnames.get(op,f'OP_{op:02x}'),None))
[codex:428596]         i+=1
[codex:428596] pc_index={pc:idx for idx,(pc,_,_) in enumerate(insts)}
[codex:428596] 
[codex:428596] # simple executor along path, with chosen branch for JUMPI at 0x017d to jump
[codex:428596] pc=0x0168
[codex:428596] stack=['addr','value','ret']
[codex:428596] 
[codex:428596] # Provide storage slot1 and caller equality to force jump
[codex:428596] 
[codex:428596] # We'll step until CALL at 0x01ea
[codex:428596] visited=0
[codex:428596] while True:
[codex:428596]     if pc not in pc_index:
[codex:428596]         print('pc not found',pc)
[codex:428596]         break
[codex:428596]     idx=pc_index[pc]
[codex:428596]     pc,op,arg=insts[idx]
[codex:428596]     # print trace
[codex:428596]     # print(f'{pc:04x} {op} {arg} stack={stack}')
[codex:428596]     if op=='JUMPDEST':
[codex:428596]         pc=insts[idx+1][0]
[codex:428596]         continue
[codex:428596]     if op.startswith('PUSH'):
[codex:428596]         stack.insert(0,f'{arg:#x}')
[codex:428596]     elif op.startswith('DUP'):
[codex:428596]         n=int(op[3:])
[codex:428596]         stack.insert(0, stack[n-1])
[codex:428596]     elif op.startswith('SWAP'):
[codex:428596]         n=int(op[4:])
[codex:428596]         stack[0], stack[n] = stack[n], stack[0]
[codex:428596]     elif op=='POP':
[codex:428596]         stack.pop(0)
[codex:428596]     elif op=='SLOAD':
[codex:428596]         stack[0]=f'sload({stack[0]})'
[codex:428596]     elif op=='MLOAD':
[codex:428596]         stack[0]=f'mload({stack[0]})'
[codex:428596]     elif op=='CALLER':
[codex:428596]         stack.insert(0,'caller')
[codex:428596]     elif op=='AND':
[codex:428596]         a=stack.pop(0); b1=stack.pop(0)
[codex:428596]         stack.insert(0,f'({a}&{b1})')
[codex:428596]     elif op=='OR':
[codex:428596]         a=stack.pop(0); b1=stack.pop(0)
[codex:428596]         stack.insert(0,f'({a}|{b1})')
[codex:428596]     elif op=='SHL':
[codex:428596]         a=stack.pop(0); b1=stack.pop(0)
[codex:428596]         stack.insert(0,f'({b1}<<{a})')
[codex:428596]     elif op=='SUB':
[codex:428596]         a=stack.pop(0); b1=stack.pop(0)
[codex:428596]         stack.insert(0,f'({b1}-{a})')
[codex:428596]     elif op=='ADD':
[codex:428596]         a=stack.pop(0); b1=stack.pop(0)
[codex:428596]         stack.insert(0,f'({b1}+{a})')
[codex:428596]     elif op=='MUL':
[codex:428596]         a=stack.pop(0); b1=stack.pop(0)
[codex:428596]         stack.insert(0,f'({b1}*{a})')
[codex:428596]     elif op=='EQ':
[codex:428596]         a=stack.pop(0); b1=stack.pop(0)
[codex:428596]         stack.insert(0,f'({b1}=={a})')
[codex:428596]     elif op=='ISZERO':
[codex:428596]         a=stack.pop(0)
[codex:428596]         stack.insert(0,f'iszero({a})')
[codex:428596]     elif op=='JUMPI':
[codex:428596]         # choose jump when at 0x017d
[codex:428596]         if pc==0x017d:
[codex:428596]             # jump to 0x01ca
[codex:428596]             pc=0x01ca
[codex:428596]             continue
[codex:428596]         else:
[codex:428596]             # otherwise no jump
[codex:428596]             pass
[codex:428596]     elif op=='JUMP':
[codex:428596]         # not expected in this trace
[codex:428596]         break
[codex:428596]     elif op=='CALL':
[codex:428596]         # print call args
[codex:428596]         args=stack[:7]
[codex:428596]         print('CALL top7',args)
[codex:428596]         break
[codex:428596]     # advance pc
[codex:428596]     pc=insts[idx+1][0]
[codex:428596] PY" in /tmp/codex-multi-_mvcnu52 succeeded in 40ms:
[codex:428596] CALL top7 ['(iszero(0x0)*0x8fc)', '((((0x1-(0x1<<0xa0))&sload(0x1))==caller)&(0x1-(0x1<<0xa0)))', '0x0', 'mload(0x40)', '0x0', 'mload(0x40)', '0x0']
[codex:428596] 
[codex:428596] thinking
[codex:428596] **Analyzing symbolic execution stack issues**
[codex:428596] 
[codex:428596] I'm investigating why the symbolic execution stack isn't propagating correctly, suspecting a mishandling around the JUMPI at 0x017d that may have skipped important instructions and disrupted the stack state. I'll add logging to output the stack right before this jump to clarify what went wrong.
[codex:428596] exec
[codex:428596] /bin/bash -lc "PYTHONDONTWRITEBYTECODE=1 python - <<'PY'
[codex:428596] # debugging stack before JUMPI at 0x017d
[codex:428596] text=open('BYTECODE_BUNDLE.txt').read().splitlines()
[codex:428596] hexline=None
[codex:428596] for line in text:
[codex:428596]     if line.strip().startswith('0x'):
[codex:428596]         hexline=line.strip(); break
[codex:428596] hexstr=hexline[2:]
[codex:428596] b=bytes.fromhex(hexstr)
[codex:428596] 
[codex:428596] opnames={0x00:'STOP',0x01:'ADD',0x02:'MUL',0x03:'SUB',0x04:'DIV',0x05:'SDIV',0x06:'MOD',0x07:'SMOD',0x08:'ADDMOD',0x09:'MULMOD',0x0a:'EXP',0x0b:'SIGNEXTEND',
[codex:428596]     0x10:'LT',0x11:'GT',0x12:'SLT',0x13:'SGT',0x14:'EQ',0x15:'ISZERO',0x16:'AND',0x17:'OR',0x18:'XOR',0x19:'NOT',0x1a:'BYTE',0x1b:'SHL',0x1c:'SHR',0x1d:'SAR',
[codex:428596]     0x20:'SHA3',
[codex:428596]     0x30:'ADDRESS',0x31:'BALANCE',0x32:'ORIGIN',0x33:'CALLER',0x34:'CALLVALUE',0x35:'CALLDATALOAD',0x36:'CALLDATASIZE',0x37:'CALLDATACOPY',0x38:'CODESIZE',0x39:'CODECOPY',0x3a:'GASPRICE',0x3b:'EXTCODESIZE',0x3c:'EXTCODECOPY',0x3d:'RETURNDATASIZE',0x3e:'RETURNDATACOPY',0x3f:'EXTCODEHASH',
[codex:428596]     0x40:'BLOCKHASH',0x41:'COINBASE',0x42:'TIMESTAMP',0x43:'NUMBER',0x44:'DIFFICULTY',0x45:'GASLIMIT',0x46:'CHAINID',0x47:'SELFBALANCE',0x48:'BASEFEE',
[codex:428596]     0x50:'POP',0x51:'MLOAD',0x52:'MSTORE',0x53:'MSTORE8',0x54:'SLOAD',0x55:'SSTORE',0x56:'JUMP',0x57:'JUMPI',0x58:'PC',0x59:'MSIZE',0x5a:'GAS',0x5b:'JUMPDEST',
[codex:428596]     0xf0:'CREATE',0xf1:'CALL',0xf2:'CALLCODE',0xf3:'RETURN',0xf4:'DELEGATECALL',0xf5:'CREATE2',0xfa:'STATICCALL',0xfd:'REVERT',0xfe:'INVALID',0xff:'SELFDESTRUCT'
[codex:428596] }
[codex:428596] for i in range(1,17): opnames[0x7f+i]=f'DUP{i}'
[codex:428596] for i in range(1,17): opnames[0x8f+i]=f'SWAP{i}'
[codex:428596] 
[codex:428596] insts=[]
[codex:428596] i=0
[codex:428596] while i<len(b):
[codex:428596]     op=b[i]
[codex:428596]     if 0x60<=op<=0x7f:
[codex:428596]         n=op-0x5f
[codex:428596]         data=int.from_bytes(b[i+1:i+1+n],'big')
[codex:428596]         insts.append((i,f'PUSH{n}',data))
[codex:428596]         i+=1+n
[codex:428596]     else:
[codex:428596]         insts.append((i,opnames.get(op,f'OP_{op:02x}'),None))
[codex:428596]         i+=1
[codex:428596] pc_index={pc:idx for idx,(pc,_,_) in enumerate(insts)}
[codex:428596] 
[codex:428596] pc=0x0168
[codex:428596] stack=['addr','value','ret']
[codex:428596] 
[codex:428596] while True:
[codex:428596]     idx=pc_index[pc]
[codex:428596]     pc,op,arg=insts[idx]
[codex:428596]     if pc==0x017d:
[codex:428596]         print('before JUMPI stack=',stack)
[codex:428596]     if op=='JUMPDEST':
[codex:428596]         pc=insts[idx+1][0]
[codex:428596]         continue
[codex:428596]     if op.startswith('PUSH'):
[codex:428596]         stack.insert(0,f'{arg:#x}')
[codex:428596]     elif op.startswith('DUP'):
[codex:428596]         n=int(op[3:])
[codex:428596]         stack.insert(0, stack[n-1])
[codex:428596]     elif op.startswith('SWAP'):
[codex:428596]         n=int(op[4:])
[codex:428596]         stack[0], stack[n] = stack[n], stack[0]
[codex:428596]     elif op=='POP':
[codex:428596]         stack.pop(0)
[codex:428596]     elif op=='SLOAD':
[codex:428596]         stack[0]=f'sload({stack[0]})'
[codex:428596]     elif op=='MLOAD':
[codex:428596]         stack[0]=f'mload({stack[0]})'
[codex:428596]     elif op=='CALLER':
[codex:428596]         stack.insert(0,'caller')
[codex:428596]     elif op=='AND':
[codex:428596]         a=stack.pop(0); b1=stack.pop(0)
[codex:428596]         stack.insert(0,f'({a}&{b1})')
[codex:428596]     elif op=='OR':
[codex:428596]         a=stack.pop(0); b1=stack.pop(0)
[codex:428596]         stack.insert(0,f'({a}|{b1})')
[codex:428596]     elif op=='SHL':
[codex:428596]         a=stack.pop(0); b1=stack.pop(0)
[codex:428596]         stack.insert(0,f'({b1}<<{a})')
[codex:428596]     elif op=='SUB':
[codex:428596]         a=stack.pop(0); b1=stack.pop(0)
[codex:428596]         stack.insert(0,f'({b1}-{a})')
[codex:428596]     elif op=='ADD':
[codex:428596]         a=stack.pop(0); b1=stack.pop(0)
[codex:428596]         stack.insert(0,f'({b1}+{a})')
[codex:428596]     elif op=='MUL':
[codex:428596]         a=stack.pop(0); b1=stack.pop(0)
[codex:428596]         stack.insert(0,f'({b1}*{a})')
[codex:428596]     elif op=='EQ':
[codex:428596]         a=stack.pop(0); b1=stack.pop(0)
[codex:428596]         stack.insert(0,f'({b1}=={a})')
[codex:428596]     elif op=='ISZERO':
[codex:428596]         a=stack.pop(0)
[codex:428596]         stack.insert(0,f'iszero({a})')
[codex:428596]     elif op=='JUMPI':
[codex:428596]         if pc==0x017d:
[codex:428596]             # force jump to 0x01ca
[codex:428596]             pc=0x01ca
[codex:428596]             continue
[codex:428596]     elif op=='CALL':
[codex:428596]         print('CALL',stack[:7])
[codex:428596]         break
[codex:428596]     pc=insts[idx+1][0]
[codex:428596] PY" in /tmp/codex-multi-_mvcnu52 succeeded in 20ms:
[codex:428596] before JUMPI stack= ['0x1ca', '(((0x1-(0x1<<0xa0))&sload(0x1))==caller)', '0x0', 'addr', 'value', 'ret']
[codex:428596] CALL ['(iszero(0x0)*0x8fc)', '((((0x1-(0x1<<0xa0))&sload(0x1))==caller)&(0x1-(0x1<<0xa0)))', '0x0', 'mload(0x40)', '0x0', 'mload(0x40)', '0x0']
[codex:428596] 
[codex:428596] 
[codex:428596] thinking
[codex:428596] **Analyzing EVM stack and call parameters**
[codex:428596] thinking
[codex:428596] **Summarizing security evaluation and JSON output**
[codex:428596] 
[codex:428596] I'll confirm that no exploit paths are found because access is locked to owner and resonate contract, and prepare a JSON output with no_findings set to true and a concise summary about locked access as requested.
[codex:428596] codex
[codex:428596] {"no_findings":true,"summary":"No concrete, exploitable value-extraction path found in the provided runtime bytecode; ETH transfer is gated by a stored authorized address and the only setter is owner-restricted and one-time.","findings":[]}
[codex:428596] tokens used
[codex:428596] 39,258
[codex:428596] {"no_findings":true,"summary":"No concrete, exploitable value-extraction path found in the provided runtime bytecode; ETH transfer is gated by a stored authorized address and the only setter is owner-restricted and one-time.","findings":[]}
Metadata 
{
    "codex": {
        "ran_at": "2026-01-02T23:05:12.807894+00:00",
        "returncode": 0
    },
    "summary": "No concrete, exploitable value-extraction path found in the provided runtime bytecode; ETH transfer is gated by a stored authorized address and the only setter is owner-restricted and one-time.",
    "raw_final": {
        "summary": "No concrete, exploitable value-extraction path found in the provided runtime bytecode; ETH transfer is gated by a stored authorized address and the only setter is owner-restricted and one-time.",
        "findings": [],
        "no_findings": true
    },
    "no_findings": true,
    "schema_version": 1
}

Opcode Heuristics

tool.cast_disasm
Delegatecall
0
Selfdestruct
0
CREATE2
0
CALL-family (heavy)
1
EXT*/BALANCE
0
Total opcodes
350
Flags
No heuristic flags raised.
View cast disassembly output 
00000000: PUSH1 0x80
00000002: PUSH1 0x40
00000004: MSTORE
00000005: PUSH1 0x04
00000007: CALLDATASIZE
00000008: LT
00000009: PUSH2 0x0029
0000000c: JUMPI
0000000d: PUSH1 0x00
0000000f: CALLDATALOAD
00000010: PUSH1 0xe0
00000012: SHR
00000013: DUP1
00000014: PUSH4 0x81bac14f
00000019: EQ
0000001a: PUSH2 0x002b
0000001d: JUMPI
0000001e: DUP1
0000001f: PUSH4 0xb7760c8f
00000024: EQ
00000025: PUSH2 0x0072
00000028: JUMPI
00000029: JUMPDEST
0000002a: STOP
0000002b: JUMPDEST
0000002c: CALLVALUE
0000002d: DUP1
0000002e: ISZERO
0000002f: PUSH2 0x0037
00000032: JUMPI
00000033: PUSH1 0x00
00000035: DUP1
00000036: REVERT
00000037: JUMPDEST
00000038: POP
00000039: PUSH2 0x005e
0000003c: PUSH1 0x04
0000003e: DUP1
0000003f: CALLDATASIZE
00000040: SUB
00000041: PUSH1 0x20
00000043: DUP2
00000044: LT
00000045: ISZERO
00000046: PUSH2 0x004e
00000049: JUMPI
0000004a: PUSH1 0x00
0000004c: DUP1
0000004d: REVERT
0000004e: JUMPDEST
0000004f: POP
00000050: CALLDATALOAD
00000051: PUSH1 0x01
00000053: PUSH1 0x01
00000055: PUSH1 0xa0
00000057: SHL
00000058: SUB
00000059: AND
0000005a: PUSH2 0x009e
0000005d: JUMP
0000005e: JUMPDEST
0000005f: PUSH1 0x40
00000061: DUP1
00000062: MLOAD
00000063: SWAP2
00000064: ISZERO
00000065: ISZERO
00000066: DUP3
00000067: MSTORE
00000068: MLOAD
00000069: SWAP1
0000006a: DUP2
0000006b: SWAP1
0000006c: SUB
0000006d: PUSH1 0x20
0000006f: ADD
00000070: SWAP1
00000071: RETURN
00000072: JUMPDEST
00000073: PUSH2 0x005e
00000076: PUSH1 0x04
00000078: DUP1
00000079: CALLDATASIZE
0000007a: SUB
0000007b: PUSH1 0x40
0000007d: DUP2
0000007e: LT
0000007f: ISZERO
00000080: PUSH2 0x0088
00000083: JUMPI
00000084: PUSH1 0x00
00000086: DUP1
00000087: REVERT
00000088: JUMPDEST
00000089: POP
0000008a: DUP1
0000008b: CALLDATALOAD
0000008c: SWAP1
0000008d: PUSH1 0x20
0000008f: ADD
00000090: CALLDATALOAD
00000091: PUSH1 0x01
00000093: PUSH1 0x01
00000095: PUSH1 0xa0
00000097: SHL
00000098: SUB
00000099: AND
0000009a: PUSH2 0x0168
0000009d: JUMP
0000009e: JUMPDEST
0000009f: PUSH1 0x00
000000a1: DUP1
000000a2: SLOAD
000000a3: PUSH1 0x01
000000a5: PUSH1 0x01
000000a7: PUSH1 0xa0
000000a9: SHL
000000aa: SUB
000000ab: AND
000000ac: CALLER
000000ad: EQ
000000ae: PUSH2 0x00f5
000000b1: JUMPI
000000b2: PUSH1 0x40
000000b4: DUP1
000000b5: MLOAD
000000b6: PUSH3 0x461bcd
000000ba: PUSH1 0xe5
000000bc: SHL
000000bd: DUP2
000000be: MSTORE
000000bf: PUSH1 0x20
000000c1: PUSH1 0x04
000000c3: DUP3
000000c4: ADD
000000c5: MSTORE
000000c6: PUSH1 0x14
000000c8: PUSH1 0x24
000000ca: DUP3
000000cb: ADD
000000cc: MSTORE
000000cd: PUSH20 0x2fb7bbb732b910109e9036b9b39739b2b73232b9
000000e2: PUSH1 0x61
000000e4: SHL
000000e5: PUSH1 0x44
000000e7: DUP3
000000e8: ADD
000000e9: MSTORE
000000ea: SWAP1
000000eb: MLOAD
000000ec: SWAP1
000000ed: DUP2
000000ee: SWAP1
000000ef: SUB
000000f0: PUSH1 0x64
000000f2: ADD
000000f3: SWAP1
000000f4: REVERT
000000f5: JUMPDEST
000000f6: PUSH1 0x01
000000f8: SLOAD
000000f9: PUSH1 0x01
000000fb: PUSH1 0x01
000000fd: PUSH1 0xa0
000000ff: SHL
00000100: SUB
00000101: AND
00000102: ISZERO
00000103: PUSH2 0x0144
00000106: JUMPI
00000107: PUSH1 0x40
00000109: DUP1
0000010a: MLOAD
0000010b: PUSH3 0x461bcd
0000010f: PUSH1 0xe5
00000111: SHL
00000112: DUP2
00000113: MSTORE
00000114: PUSH1 0x20
00000116: PUSH1 0x04
00000118: DUP3
00000119: ADD
0000011a: MSTORE
0000011b: PUSH1 0x0e
0000011d: PUSH1 0x24
0000011f: DUP3
00000120: ADD
00000121: MSTORE
00000122: PUSH14 0x17dc9bdbdd081b9bdd081b9d5b1b
00000131: PUSH1 0x92
00000133: SHL
00000134: PUSH1 0x44
00000136: DUP3
00000137: ADD
00000138: MSTORE
00000139: SWAP1
0000013a: MLOAD
0000013b: SWAP1
0000013c: DUP2
0000013d: SWAP1
0000013e: SUB
0000013f: PUSH1 0x64
00000141: ADD
00000142: SWAP1
00000143: REVERT
00000144: JUMPDEST
00000145: PUSH1 0x01
00000147: DUP1
00000148: SLOAD
00000149: PUSH1 0x01
0000014b: PUSH1 0x01
0000014d: PUSH1 0xa0
0000014f: SHL
00000150: SUB
00000151: NOT
00000152: AND
00000153: PUSH1 0x01
00000155: PUSH1 0x01
00000157: PUSH1 0xa0
00000159: SHL
0000015a: SUB
0000015b: SWAP4
0000015c: SWAP1
0000015d: SWAP4
0000015e: AND
0000015f: SWAP3
00000160: SWAP1
00000161: SWAP3
00000162: OR
00000163: SWAP1
00000164: SWAP2
00000165: SSTORE
00000166: SWAP1
00000167: JUMP
00000168: JUMPDEST
00000169: PUSH1 0x01
0000016b: SLOAD
0000016c: PUSH1 0x00
0000016e: SWAP1
0000016f: PUSH1 0x01
00000171: PUSH1 0x01
00000173: PUSH1 0xa0
00000175: SHL
00000176: SUB
00000177: AND
00000178: CALLER
00000179: EQ
0000017a: PUSH2 0x01ca
0000017d: JUMPI
0000017e: PUSH1 0x40
00000180: DUP1
00000181: MLOAD
00000182: PUSH3 0x461bcd
00000186: PUSH1 0xe5
00000188: SHL
00000189: DUP2
0000018a: MSTORE
0000018b: PUSH1 0x20
0000018d: PUSH1 0x04
0000018f: DUP3
00000190: ADD
00000191: MSTORE
00000192: PUSH1 0x1f
00000194: PUSH1 0x24
00000196: DUP3
00000197: ADD
00000198: MSTORE
00000199: PUSH32 0x6d73672e73656e64657220213d205f7265736f6e617465436f6e747261637400
000001ba: PUSH1 0x44
000001bc: DUP3
000001bd: ADD
000001be: MSTORE
000001bf: SWAP1
000001c0: MLOAD
000001c1: SWAP1
000001c2: DUP2
000001c3: SWAP1
000001c4: SUB
000001c5: PUSH1 0x64
000001c7: ADD
000001c8: SWAP1
000001c9: REVERT
000001ca: JUMPDEST
000001cb: PUSH1 0x40
000001cd: MLOAD
000001ce: PUSH1 0x01
000001d0: PUSH1 0x01
000001d2: PUSH1 0xa0
000001d4: SHL
000001d5: SUB
000001d6: DUP4
000001d7: AND
000001d8: SWAP1
000001d9: DUP5
000001da: ISZERO
000001db: PUSH2 0x08fc
000001de: MUL
000001df: SWAP1
000001e0: DUP6
000001e1: SWAP1
000001e2: PUSH1 0x00
000001e4: DUP2
000001e5: DUP2
000001e6: DUP2
000001e7: DUP6
000001e8: DUP9
000001e9: DUP9
000001ea: CALL
000001eb: SWAP4
000001ec: POP
000001ed: POP
000001ee: POP
000001ef: POP
000001f0: ISZERO
000001f1: DUP1
000001f2: ISZERO
000001f3: PUSH2 0x0200
000001f6: JUMPI
000001f7: RETURNDATASIZE
000001f8: PUSH1 0x00
000001fa: DUP1
000001fb: RETURNDATACOPY
000001fc: RETURNDATASIZE
000001fd: PUSH1 0x00
000001ff: REVERT
00000200: JUMPDEST
00000201: POP
00000202: PUSH1 0x01
00000204: SWAP4
00000205: SWAP3
00000206: POP
00000207: POP
00000208: POP
00000209: JUMP
0000020a: INVALID
0000020b: LOG2
0000020c: PUSH6 0x627a7a723158
00000213: KECCAK256
00000214: UNKNOWN(0xAE)
00000215: UNKNOWN(0xC9)
00000216: UNKNOWN(0xD8)
00000217: UNKNOWN(0xD1)
00000218: UNKNOWN(0xE6)
00000219: UNKNOWN(0x4D)
0000021a: PUSH8 0x9b97a59f4996c5e3
00000223: UNKNOWN(0xFB)
00000224: COINBASE
00000225: UNKNOWN(0x2F)
00000226: UNKNOWN(0xB5)
00000227: PUSH29

Findings

validated = confirmed for call sinks; sink observed for others
Severity Category Tool Title Confidence Validated Confirmed Details
high other detector Untrusted CALL target/value reachable 60 no no
view
trace_id: 0x661ff073d41ce9884bf21d014c7278a0de2cb62448eb0c50ed63d4f10f0deff4
call_targets: 0x8a909adc6c299cc4a206e730b15d2b97b0fbf0bd
target_varies: no
classification: constant_target
validation_json 
{
    "sink": "CALL",
    "errors": 0,
    "status": "sink_reached",
    "attempts": 1,
    "trace_id": "0x661ff073d41ce9884bf21d014c7278a0de2cb62448eb0c50ed63d4f10f0deff4",
    "confirmed": false,
    "trace_mode": "callTracer",
    "call_targets": [
        "0x8a909adc6c299cc4a206e730b15d2b97b0fbf0bd"
    ],
    "matched_probe": null,
    "target_varies": false,
    "classification": "constant_target"
}
witness_json 
{
    "notes": "heuristic witness; entrypoints are best-effort selectors with zeroed calldata",
    "constraints": [],
    "entrypoints": [
        {
            "calldata": "0x81bac14f",
            "selector": "0x81bac14f",
            "calldata_variants": [
                "0x81bac14f",
                "0x81bac14f0000000000000000000000000000000000000000000000000000000000000000"
            ]
        },
        {
            "calldata": "0xb7760c8f",
            "selector": "0xb7760c8f",
            "calldata_variants": [
                "0xb7760c8f",
                "0xb7760c8f0000000000000000000000000000000000000000000000000000000000000000"
            ]
        }
    ]
}
evidence_json 
{
    "examples": [
        {
            "pc": 490,
            "opcode": "CALL",
            "returndata_checked": null,
            "value_expression_category": "computed",
            "target_expression_category": "computed"
        }
    ],
    "call_count": 1,
    "guards_detected": [],
    "untrusted_call_count": 1
}
high other detector ETH value transfer possible 55 no no
view
trace_id: 0x661ff073d41ce9884bf21d014c7278a0de2cb62448eb0c50ed63d4f10f0deff4
call_targets: 0x8a909adc6c299cc4a206e730b15d2b97b0fbf0bd
target_varies: no
classification: constant_target
validation_json 
{
    "sink": "CALL",
    "errors": 0,
    "status": "sink_reached",
    "attempts": 1,
    "trace_id": "0x661ff073d41ce9884bf21d014c7278a0de2cb62448eb0c50ed63d4f10f0deff4",
    "confirmed": false,
    "trace_mode": "callTracer",
    "call_targets": [
        "0x8a909adc6c299cc4a206e730b15d2b97b0fbf0bd"
    ],
    "matched_probe": null,
    "target_varies": false,
    "classification": "constant_target"
}
witness_json 
{
    "notes": "heuristic witness; entrypoints are best-effort selectors with zeroed calldata",
    "constraints": [],
    "entrypoints": [
        {
            "calldata": "0x81bac14f",
            "selector": "0x81bac14f",
            "calldata_variants": [
                "0x81bac14f",
                "0x81bac14f0000000000000000000000000000000000000000000000000000000000000000"
            ]
        },
        {
            "calldata": "0xb7760c8f",
            "selector": "0xb7760c8f",
            "calldata_variants": [
                "0xb7760c8f",
                "0xb7760c8f0000000000000000000000000000000000000000000000000000000000000000"
            ]
        }
    ]
}
evidence_json 
{
    "examples": [
        {
            "pc": 490,
            "opcode": "CALL",
            "returndata_checked": null,
            "value_expression_category": "computed",
            "target_expression_category": "computed"
        }
    ],
    "eth_value_calls": 1,
    "guards_detected": []
}