TW
Tripwire
Find contracts. Test them. Review real vulns.

Analysis Run

cc29e004-23c7-4d4d-be13-6790821cc0be

complete
Chain ID
1
Address
0xf29ff96aaea6c9a1fba851f74737f3c069d4f1a9
Block Number
Created
Mon, Jan 5, 2026 3:23 AM
Review Summary

What survived the funnel

Open this run to answer one question: is this real attacker-relevant behavior with real impact, or just normal contract plumbing?

back to vulns open contract
Confirmed
0
Validated
0
Source
Bytecode only
Review Backing
Not yet
Best current signal
DELEGATECALL present
crit 0 high 0 direct contract
Review Checklist
1. Read the findings table first. Ignore raw jobs until the result looks real.
2. Confirm attacker control, not just the existence of a sink.
3. Confirm money or privilege impact.
4. Keep it if the behavior is real. Kill it if this is normal proxy, admin, or upgrade plumbing.

Processing Jobs

Status & attempts
ID Type Status Attempts Heartbeat
31674 report.consolidate complete 1 / 1 3 months ago
95467 artifact.fetch complete 1 / 3 1 week ago
95468 tool.cast_disasm complete 1 / 3 1 week ago
95469 analysis.bundle complete 1 / 3 1 week ago
95470 capability.graph complete 1 / 3 1 week ago
95471 detector.run complete 1 / 3 1 week ago
95472 validation.fork complete 1 / 3 1 week ago

Artifact

Runtime bytecode: available
Creation TX:
Deployer:
Proxy: no
Implementation:
Verified Source: no

Slither

tool.slither

No slither job recorded yet.

Codex

report.consolidate
Job Status
complete
Attempts
1 / 1
Findings
0
No findings?
yes
Summary
Runtime bytecode matches an immutable-args minimal proxy delegating to a fixed implementation address (0x652a2a2876b855d9c30d9265f882f0a486608976) with no upgrade paths, no SELFDESTRUCT, and no direct value-transfer logic; without the implementation code, there is no concrete, bytecode-visible profit extraction path.
View stderr 
[codex:676913] OpenAI Codex v0.77.0 (research preview)
[codex:676913] --------
[codex:676913] workdir: /tmp/codex-multi-3193e1ym
[codex:676913] model: gpt-5.2-codex
[codex:676913] provider: openai
[codex:676913] approval: never
[codex:676913] sandbox: read-only
[codex:676913] reasoning effort: xhigh
[codex:676913] reasoning summaries: auto
[codex:676913] session id: 019b8c2c-da61-7f63-947b-f39fb0dd51dd
[codex:676913] --------
[codex:676913] user
[codex:676913] You are a profit-focused exploit hunter analyzing EVM bytecode. Your ONLY goal is finding ways to extract value (ETH, tokens, NFTs) from this contract.
[codex:676913] 
[codex:676913] Read `BYTECODE_BUNDLE.txt` completely before concluding.
[codex:676913] 
[codex:676913] ONLY REPORT if you find a CONCRETE, EXPLOITABLE path to profit. We do NOT care about:
[codex:676913] - Gas inefficiency, code quality, or best practices
[codex:676913] - Theoretical vulnerabilities without a clear extraction path
[codex:676913] - Generic footguns (unchecked return values, etc.) unless they enable theft
[codex:676913] - Issues requiring social engineering or off-chain coordination
[codex:676913] 
[codex:676913] PATTERNS WORTH INVESTIGATING in bytecode:
[codex:676913] - CALL/DELEGATECALL with controllable destination or calldata
[codex:676913] - Value transfers (CALL with non-zero value) without prior CALLER/ORIGIN checks
[codex:676913] - SSTORE to low slots (0-10) that might be owner/admin storage
[codex:676913] - ecrecover (signature validation) - look for missing nonce/replay protection
[codex:676913] - External calls before state updates (reentrancy)
[codex:676913] - SELFDESTRUCT with controllable beneficiary
[codex:676913] - Proxy patterns (DELEGATECALL to storage slot) with unprotected upgrade paths
[codex:676913] 
[codex:676913] For each finding, you MUST explain:
[codex:676913] 1. The specific bytecode pattern/offsets that indicate the vulnerability
[codex:676913] 2. The concrete sequence of transactions to extract value
[codex:676913] 3. Why you believe this is exploitable (not just suspicious)
[codex:676913] 
[codex:676913] If you cannot identify a concrete profit path from bytecode alone: set no_findings=true.
[codex:676913] Do NOT hallucinate. Bytecode-only analysis is limited - be honest about uncertainty.
[codex:676913] 
[codex:676913] Output MUST be valid JSON matching the provided schema.
[codex:676913] - severity: info, low, medium, high, critical (use high/critical ONLY for clear extraction paths)
[codex:676913] - category: access_control, reentrancy, math, oracle, upgradeability, auth, other
[codex:676913] mcp startup: no servers
[codex:676913] 
[codex:676913] thinking
[codex:676913] **Preparing to read BYTECODE_BUNDLE.txt**
[codex:676913] exec
[codex:676913] /bin/bash -lc ls in /tmp/codex-multi-3193e1ym succeeded in 6ms:
[codex:676913] BYTECODE_BUNDLE.txt
[codex:676913] codex-output-schema.json
[codex:676913] exec
[codex:676913] /bin/bash -lc "sed -n '1,200p' BYTECODE_BUNDLE.txt" in /tmp/codex-multi-3193e1ym succeeded in 6ms:
[codex:676913] Runtime bytecode bundle for best-effort auditing.
[codex:676913] Note: without verified source, conclusions are low-confidence unless a concrete pattern is visible.
[codex:676913] 
[codex:676913] FILE: runtime_bytecode.hex
[codex:676913] 0x36602f57343d527f9e4ac34f21c619cefc926c8bd93b54bf5a39c7ab2127a895af1cc0691d7e3dff60203da13d3df35b3d3d3d3d363d3d376100366067363936610036013d73652a2a2876b855d9c30d9265f882f0a4866089765af43d3d93803e606557fd5bf384af3d5824f0390b9510440b6abb5cc02bb68ea10000000000000000000000000000000000000000000000000000000001e133800034
[codex:676913] 
[codex:676913] thinking
[codex:676913] **Requesting full file**
[codex:676913] exec
[codex:676913] /bin/bash -lc 'cat BYTECODE_BUNDLE.txt' in /tmp/codex-multi-3193e1ym succeeded in 5ms:
[codex:676913] Runtime bytecode bundle for best-effort auditing.
[codex:676913] Note: without verified source, conclusions are low-confidence unless a concrete pattern is visible.
[codex:676913] 
[codex:676913] FILE: runtime_bytecode.hex
[codex:676913] 0x36602f57343d527f9e4ac34f21c619cefc926c8bd93b54bf5a39c7ab2127a895af1cc0691d7e3dff60203da13d3df35b3d3d3d3d363d3d376100366067363936610036013d73652a2a2876b855d9c30d9265f882f0a4866089765af43d3d93803e606557fd5bf384af3d5824f0390b9510440b6abb5cc02bb68ea10000000000000000000000000000000000000000000000000000000001e133800034
[codex:676913] 
[codex:676913] thinking
[codex:676913] **Analyzing minimal proxy bytecode**
[codex:676913] 
[codex:676913] I've broken down the bytecode and confirmed it's a minimal proxy with immutable arguments delegating calls to a fixed implementation address. The code also logs events when calldata is empty but shows no upgradeability or self-destruct patterns that could be exploited. Without access to the implementation contract, I can't identify any concrete exploitable paths for value extraction, so I'll report no findings with a summary explaining this.
[codex:676913] codex
[codex:676913] {"no_findings":true,"summary":"Runtime bytecode matches an immutable-args minimal proxy delegating to a fixed implementation address (0x652a2a2876b855d9c30d9265f882f0a486608976) with no upgrade paths, no SELFDESTRUCT, and no direct value-transfer logic; without the implementation code, there is no concrete, bytecode-visible profit extraction path.","findings":[]}
[codex:676913] tokens used
[codex:676913] 6,524
[codex:676913] {"no_findings":true,"summary":"Runtime bytecode matches an immutable-args minimal proxy delegating to a fixed implementation address (0x652a2a2876b855d9c30d9265f882f0a486608976) with no upgrade paths, no SELFDESTRUCT, and no direct value-transfer logic; without the implementation code, there is no concrete, bytecode-visible profit extraction path.","findings":[]}
Metadata 
{
    "codex": {
        "ran_at": "2026-01-05T03:23:04.869712+00:00",
        "returncode": 0
    },
    "summary": "Runtime bytecode matches an immutable-args minimal proxy delegating to a fixed implementation address (0x652a2a2876b855d9c30d9265f882f0a486608976) with no upgrade paths, no SELFDESTRUCT, and no direct value-transfer logic; without the implementation code, there is no concrete, bytecode-visible profit extraction path.",
    "raw_final": {
        "summary": "Runtime bytecode matches an immutable-args minimal proxy delegating to a fixed implementation address (0x652a2a2876b855d9c30d9265f882f0a486608976) with no upgrade paths, no SELFDESTRUCT, and no direct value-transfer logic; without the implementation code, there is no concrete, bytecode-visible profit extraction path.",
        "findings": [],
        "no_findings": true
    },
    "no_findings": true,
    "schema_version": 1
}

Opcode Heuristics

tool.cast_disasm
Delegatecall
1
Selfdestruct
0
CREATE2
0
CALL-family (heavy)
0
EXT*/BALANCE
0
Total opcodes
86
Flags
delegatecall_present create_opcodes_present
View cast disassembly output 
00000000: CALLDATASIZE
00000001: PUSH1 0x2f
00000003: JUMPI
00000004: CALLVALUE
00000005: RETURNDATASIZE
00000006: MSTORE
00000007: PUSH32 0x9e4ac34f21c619cefc926c8bd93b54bf5a39c7ab2127a895af1cc0691d7e3dff
00000028: PUSH1 0x20
0000002a: RETURNDATASIZE
0000002b: LOG1
0000002c: RETURNDATASIZE
0000002d: RETURNDATASIZE
0000002e: RETURN
0000002f: JUMPDEST
00000030: RETURNDATASIZE
00000031: RETURNDATASIZE
00000032: RETURNDATASIZE
00000033: RETURNDATASIZE
00000034: CALLDATASIZE
00000035: RETURNDATASIZE
00000036: RETURNDATASIZE
00000037: CALLDATACOPY
00000038: PUSH2 0x0036
0000003b: PUSH1 0x67
0000003d: CALLDATASIZE
0000003e: CODECOPY
0000003f: CALLDATASIZE
00000040: PUSH2 0x0036
00000043: ADD
00000044: RETURNDATASIZE
00000045: PUSH20 0x652a2a2876b855d9c30d9265f882f0a486608976
0000005a: GAS
0000005b: DELEGATECALL
0000005c: RETURNDATASIZE
0000005d: RETURNDATASIZE
0000005e: SWAP4
0000005f: DUP1
00000060: RETURNDATACOPY
00000061: PUSH1 0x65
00000063: JUMPI
00000064: REVERT
00000065: JUMPDEST
00000066: RETURN
00000067: DUP5
00000068: UNKNOWN(0xAF)
00000069: RETURNDATASIZE
0000006a: PC
0000006b: UNKNOWN(0x24)
0000006c: CREATE
0000006d: CODECOPY
0000006e: SIGNEXTEND
0000006f: SWAP6
00000070: LT
00000071: DIFFICULTY
00000072: SIGNEXTEND
00000073: PUSH11 0xbb5cc02bb68ea100000000
0000007f: STOP
00000080: STOP
00000081: STOP
00000082: STOP
00000083: STOP
00000084: STOP
00000085: STOP
00000086: STOP
00000087: STOP
00000088: STOP
00000089: STOP
0000008a: STOP
0000008b: STOP
0000008c: STOP
0000008d: STOP
0000008e: STOP
0000008f: STOP
00000090: STOP
00000091: STOP
00000092: STOP
00000093: STOP
00000094: STOP
00000095: STOP
00000096: STOP
00000097: ADD
00000098: UNKNOWN(0xE1)
00000099: CALLER
0000009a: DUP1
0000009b: STOP
0000009c: CALLVALUE

Findings

validated = confirmed for call sinks; sink observed for others
Severity Category Tool Title Confidence Validated Confirmed Details
medium upgradeability cast DELEGATECALL present 80 no
view
evidence_json 
{
    "notes": "delegatecall enables execution in caller context; common in proxies/upgradeable patterns",
    "delegatecall_count": 1
}
medium other detector CREATE/CREATE2 reachable 45 no no
view
trace_id: 0xe85bda53d2f020390eea2162426b866fbbea82dd997534c470cbb47d319f5fac
validation_json 
{
    "sink": "CREATE",
    "errors": 0,
    "status": "unknown",
    "attempts": 1,
    "trace_id": "0xe85bda53d2f020390eea2162426b866fbbea82dd997534c470cbb47d319f5fac",
    "confirmed": false,
    "trace_mode": "structLogs",
    "call_targets": null,
    "matched_probe": null,
    "target_varies": null,
    "classification": "no_sink"
}
witness_json 
{
    "notes": "heuristic witness; entrypoints are best-effort selectors with zeroed calldata",
    "constraints": [],
    "entrypoints": [
        {
            "calldata": "0x",
            "selector": "fallback",
            "calldata_variants": [
                "0x"
            ]
        }
    ]
}
evidence_json 
{
    "create_count": 1,
    "create2_count": 0
}
low other cast Contract creation opcode present 60 no
view
evidence_json 
{
    "notes": "runtime can deploy contracts dynamically via CREATE/CREATE2",
    "create_count": 1,
    "create2_count": 0
}