TW
Tripwire
Find contracts. Test them. Review real vulns.

Analysis Run

cd0bc4f5-504b-4f92-97c3-48c47dc1a43f

complete
Chain ID
1
Address
0x0de3bd836ea05d532084a8dcb7aa6efb843553dd
Block Number
Created
Mon, Dec 29, 2025 8:55 AM
Review Summary

What survived the funnel

Open this run to answer one question: is this real attacker-relevant behavior with real impact, or just normal contract plumbing?

back to vulns open contract
Confirmed
1
Validated
1
Source
Bytecode only
Review Backing
Present
Best current signal
Untrusted DELEGATECALL target reachable
crit 1 high 0 proxy context implementation known
Review Checklist
1. Read the findings table first. Ignore raw jobs until the result looks real.
2. Confirm attacker control, not just the existence of a sink.
3. Confirm money or privilege impact.
4. Keep it if the behavior is real. Kill it if this is normal proxy, admin, or upgrade plumbing.

Processing Jobs

Status & attempts
ID Type Status Attempts Heartbeat
30480 report.consolidate complete 1 / 1 3 months ago
103739 artifact.fetch complete 1 / 3 1 week ago
103740 tool.cast_disasm complete 1 / 3 1 week ago
103741 analysis.bundle complete 1 / 3 1 week ago
103742 capability.graph complete 1 / 3 1 week ago
103743 detector.run complete 1 / 3 1 week ago
103744 validation.fork complete 1 / 3 1 week ago

Artifact

Runtime bytecode: available
Creation TX:
Deployer:
Proxy: yes
Implementation:
0x0de3bd836ea05d532084a8dcb7aa6efb843553dd
Verified Source: no

Slither

tool.slither

No slither job recorded yet.

Codex

report.consolidate
Job Status
complete
Attempts
1 / 1
Findings
1
No findings?
no
Summary
Bytecode implements a proxy that resolves its implementation via a hardcoded external beacon/registry and then delegatecalls to it; this introduces an upgrade/trust dependency on that external address.
View stderr 
[codex:1211210] OpenAI Codex v0.77.0 (research preview)
[codex:1211210] --------
[codex:1211210] workdir: /tmp/codex-multi-l_bjlnd2
[codex:1211210] model: gpt-5.2-codex
[codex:1211210] provider: openai
[codex:1211210] approval: never
[codex:1211210] sandbox: read-only
[codex:1211210] reasoning effort: xhigh
[codex:1211210] reasoning summaries: auto
[codex:1211210] session id: 019b694f-7e66-7311-a86d-0b291c08aa01
[codex:1211210] --------
[codex:1211210] user
[codex:1211210] You are a security auditor. You are given EVM runtime bytecode (and possibly a disassembly) for a contract with NO verified source.
[codex:1211210] This is best-effort. Do not hallucinate: only flag issues when there's a concrete, explainable angle from bytecode/disasm patterns.
[codex:1211210] 
[codex:1211210] You MUST read the full `BYTECODE_BUNDLE.txt` before concluding.
[codex:1211210] 
[codex:1211210] Output MUST be valid JSON matching the provided schema.
[codex:1211210] - If you cannot identify a concrete issue from bytecode/disasm alone: set no_findings=true and findings=[].
[codex:1211210] - Otherwise: include findings with severity/category/title/evidence and point locations to BYTECODE_BUNDLE.txt line ranges when possible.
[codex:1211210] 
[codex:1211210] Output constraints (IMPORTANT):
[codex:1211210] - severity MUST be exactly one of: info, low, medium, high, critical (lowercase).
[codex:1211210] - category MUST be exactly one of: access_control, reentrancy, math, oracle, upgradeability, auth, other.
[codex:1211210] mcp startup: no servers
[codex:1211210] 
[codex:1211210] thinking
[codex:1211210] **Listing files in repo**
[codex:1211210] exec
[codex:1211210] /bin/bash -lc 'rg --files' in /tmp/codex-multi-l_bjlnd2 succeeded in 8ms:
[codex:1211210] codex-output-schema.json
[codex:1211210] BYTECODE_BUNDLE.txt
[codex:1211210] 
[codex:1211210] thinking
[codex:1211210] **Checking BYTECODE_BUNDLE.txt**
[codex:1211210] exec
[codex:1211210] /bin/bash -lc 'cat BYTECODE_BUNDLE.txt' in /tmp/codex-multi-l_bjlnd2 succeeded in 5ms:
[codex:1211210] Runtime bytecode bundle for best-effort auditing.
[codex:1211210] Note: without verified source, conclusions are low-confidence unless a concrete pattern is visible.
[codex:1211210] 
[codex:1211210] FILE: runtime_bytecode.hex
[codex:1211210] 0x608060405261000c61000e565b005b61001e610019610020565b6101ee565b565b60408051600481526024810182526020810180517bffffffffffffffffffffffffffffffffffffffffffffffffffffffff167f5c60da1b0000000000000000000000000000000000000000000000000000000017905290516000918291829173ffffffffffffffffffffffffffffffffffffffff7f000000000000000000000000ea623eebd9c5bfd56067e36c89db0c13e6c70ba816916100c19190610212565b600060405180830381855afa9150503d80600081146100fc576040519150601f19603f3d011682016040523d82523d6000602084013e610101565b606091505b50915091508161013d576040517f73a769bf00000000000000000000000000000000000000000000000000000000815260040160405180910390fd5b80516020146101865780516040517f7ce64c7800000000000000000000000000000000000000000000000000000000815260040161017d91815260200190565b60405180910390fd5b8080602001905181019061019a9190610241565b925073ffffffffffffffffffffffffffffffffffffffff83166101e9576040517ffb678c3000000000000000000000000000000000000000000000000000000000815260040160405180910390fd5b505090565b3660008037600080366000845af43d6000803e80801561020d573d6000f35b3d6000fd5b6000825160005b818110156102335760208186018101518583015201610219565b506000920191825250919050565b60006020828403121561025357600080fd5b815173ffffffffffffffffffffffffffffffffffffffff8116811461027757600080fd5b939250505056fea2646970667358221220faa02c8dbc06828a990393ba969bcbd1ea1639570ce9fd9adc1561125b0012f964736f6c63430008160033
[codex:1211210] 
[codex:1211210] thinking
[codex:1211210] **Analyzing EVM bytecode with disassembly**
[codex:1211210] 
[codex:1211210] I want to inspect the given runtime bytecode to detect any issues or patterns, possibly a minimal proxy setup. Since no network or EVM disassembler is available, I'll implement a simple inline Python script to parse and decode opcodes directly from the hex bytecode, working within read-only constraints. Let's run a minimal disassembler to see the opcode sequence.
[codex:1211210] exec
[codex:1211210] /bin/bash -lc "python - <<'PY'
[codex:1211210] import binascii
[codex:1211210] hexcode='608060405261000c61000e565b005b61001e610019610020565b6101ee565b565b60408051600481526024810182526020810180517bffffffffffffffffffffffffffffffffffffffffffffffffffffffff167f5c60da1b0000000000000000000000000000000000000000000000000000000017905290516000918291829173ffffffffffffffffffffffffffffffffffffffff7f000000000000000000000000ea623eebd9c5bfd56067e36c89db0c13e6c70ba816916100c19190610212565b600060405180830381855afa9150503d80600081146100fc576040519150601f19603f3d011682016040523d82523d6000602084013e610101565b606091505b50915091508161013d576040517f73a769bf00000000000000000000000000000000000000000000000000000000815260040160405180910390fd5b80516020146101865780516040517f7ce64c7800000000000000000000000000000000000000000000000000000000815260040161017d91815260200190565b60405180910390fd5b8080602001905181019061019a9190610241565b925073ffffffffffffffffffffffffffffffffffffffff83166101e9576040517ffb678c3000000000000000000000000000000000000000000000000000000000815260040160405180910390fd5b505090565b3660008037600080366000845af43d6000803e80801561020d573d6000f35b3d6000fd5b6000825160005b818110156102335760208186018101518583015201610219565b506000920191825250919050565b60006020828403121561025357600080fd5b815173ffffffffffffffffffffffffffffffffffffffff8116811461027757600080fd5b939250505056fea2646970667358221220faa02c8dbc06828a990393ba969bcbd1ea1639570ce9fd9adc1561125b0012f964736f6c63430008160033'
[codex:1211210] code=binascii.unhexlify(hexcode)
[codex:1211210] ops = {
[codex:1211210] 0x00:'STOP',0x01:'ADD',0x02:'MUL',0x03:'SUB',0x04:'DIV',0x05:'SDIV',0x06:'MOD',0x07:'SMOD',0x08:'ADDMOD',0x09:'MULMOD',0x0a:'EXP',0x0b:'SIGNEXTEND',
[codex:1211210] 0x10:'LT',0x11:'GT',0x12:'SLT',0x13:'SGT',0x14:'EQ',0x15:'ISZERO',0x16:'AND',0x17:'OR',0x18:'XOR',0x19:'NOT',0x1a:'BYTE',0x1b:'SHL',0x1c:'SHR',0x1d:'SAR',
[codex:1211210] 0x20:'SHA3',
[codex:1211210] 0x30:'ADDRESS',0x31:'BALANCE',0x32:'ORIGIN',0x33:'CALLER',0x34:'CALLVALUE',0x35:'CALLDATALOAD',0x36:'CALLDATASIZE',0x37:'CALLDATACOPY',0x38:'CODESIZE',0x39:'CODECOPY',0x3a:'GASPRICE',0x3b:'EXTCODESIZE',0x3c:'EXTCODECOPY',0x3d:'RETURNDATASIZE',0x3e:'RETURNDATACOPY',0x3f:'EXTCODEHASH',
[codex:1211210] 0x40:'BLOCKHASH',0x41:'COINBASE',0x42:'TIMESTAMP',0x43:'NUMBER',0x44:'DIFFICULTY',0x45:'GASLIMIT',0x46:'CHAINID',0x47:'SELFBALANCE',0x48:'BASEFEE',
[codex:1211210] 0x50:'POP',0x51:'MLOAD',0x52:'MSTORE',0x53:'MSTORE8',0x54:'SLOAD',0x55:'SSTORE',0x56:'JUMP',0x57:'JUMPI',0x58:'PC',0x59:'MSIZE',0x5a:'GAS',0x5b:'JUMPDEST',
[codex:1211210] 0x60:'PUSH1',0x61:'PUSH2',0x62:'PUSH3',0x63:'PUSH4',0x64:'PUSH5',0x65:'PUSH6',0x66:'PUSH7',0x67:'PUSH8',0x68:'PUSH9',0x69:'PUSH10',0x6a:'PUSH11',0x6b:'PUSH12',0x6c:'PUSH13',0x6d:'PUSH14',0x6e:'PUSH15',0x6f:'PUSH16',0x70:'PUSH17',0x71:'PUSH18',0x72:'PUSH19',0x73:'PUSH20',0x74:'PUSH21',0x75:'PUSH22',0x76:'PUSH23',0x77:'PUSH24',0x78:'PUSH25',0x79:'PUSH26',0x7a:'PUSH27',0x7b:'PUSH28',0x7c:'PUSH29',0x7d:'PUSH30',0x7e:'PUSH31',0x7f:'PUSH32',
[codex:1211210] 0x80:'DUP1',0x81:'DUP2',0x82:'DUP3',0x83:'DUP4',0x84:'DUP5',0x85:'DUP6',0x86:'DUP7',0x87:'DUP8',0x88:'DUP9',0x89:'DUP10',0x8a:'DUP11',0x8b:'DUP12',0x8c:'DUP13',0x8d:'DUP14',0x8e:'DUP15',0x8f:'DUP16',
[codex:1211210] 0x90:'SWAP1',0x91:'SWAP2',0x92:'SWAP3',0x93:'SWAP4',0x94:'SWAP5',0x95:'SWAP6',0x96:'SWAP7',0x97:'SWAP8',0x98:'SWAP9',0x99:'SWAP10',0x9a:'SWAP11',0x9b:'SWAP12',0x9c:'SWAP13',0x9d:'SWAP14',0x9e:'SWAP15',0x9f:'SWAP16',
[codex:1211210] 0xa0:'LOG0',0xa1:'LOG1',0xa2:'LOG2',0xa3:'LOG3',0xa4:'LOG4',
[codex:1211210] 0xf0:'CREATE',0xf1:'CALL',0xf2:'CALLCODE',0xf3:'RETURN',0xf4:'DELEGATECALL',0xf5:'CREATE2',0xfa:'STATICCALL',0xfd:'REVERT',0xfe:'INVALID',0xff:'SELFDESTRUCT'
[codex:1211210] }
[codex:1211210] 
[codex:1211210] i=0
[codex:1211210] out=[]
[codex:1211210] while i<len(code):
[codex:1211210]     op=code[i]
[codex:1211210]     name=ops.get(op,f'OP{op:02x}')
[codex:1211210]     if 0x60<=op<=0x7f:
[codex:1211210]         n=op-0x5f
[codex:1211210]         data=code[i+1:i+1+n]
[codex:1211210]         out.append(f'{i:04x}: {name} 0x{data.hex()}')
[codex:1211210]         i+=1+n
[codex:1211210]     else:
[codex:1211210]         out.append(f'{i:04x}: {name}')
[codex:1211210]         i+=1
[codex:1211210] print('\\n'.join(out))
[codex:1211210] PY" in /tmp/codex-multi-l_bjlnd2 succeeded in 18ms:
[codex:1211210] 0000: PUSH1 0x80
[codex:1211210] 0002: PUSH1 0x40
[codex:1211210] 0004: MSTORE
[codex:1211210] 0005: PUSH2 0x000c
[codex:1211210] 0008: PUSH2 0x000e
[codex:1211210] 000b: JUMP
[codex:1211210] 000c: JUMPDEST
[codex:1211210] 000d: STOP
[codex:1211210] 000e: JUMPDEST
[codex:1211210] 000f: PUSH2 0x001e
[codex:1211210] 0012: PUSH2 0x0019
[codex:1211210] 0015: PUSH2 0x0020
[codex:1211210] 0018: JUMP
[codex:1211210] 0019: JUMPDEST
[codex:1211210] 001a: PUSH2 0x01ee
[codex:1211210] 001d: JUMP
[codex:1211210] 001e: JUMPDEST
[codex:1211210] 001f: JUMP
[codex:1211210] 0020: JUMPDEST
[codex:1211210] 0021: PUSH1 0x40
[codex:1211210] 
[codex:1211210] thinking
[codex:1211210] **Analyzing beacon proxy bytecode and risks**
[codex:1211210] 
[codex:1211210] I’m carefully parsing the disassembly of a proxy contract using a hardcoded beacon address to fetch its implementation via staticcall, then delegatecalling that implementation. It looks like a beacon proxy per EIP-1967 patterns, with upgradeability relying on the external beacon’s state. I see it validates the returned implementation address but doesn’t check code size, which means if the beacon returns an EOA or no-code address, calls might succeed but do nothing, posing a risk though not necessarily a vulnerability. The main concrete risk is a centralization and upgradeability concern since the proxy trusts an external beacon that, if compromised or selfdestructed, can break or alter the proxy’s behavior. I plan to note these points as the core findings.
[codex:1211210] exec
[codex:1211210] /bin/bash -lc 'nl -ba BYTECODE_BUNDLE.txt' in /tmp/codex-multi-l_bjlnd2 succeeded in 6ms:
[codex:1211210]      1	Runtime bytecode bundle for best-effort auditing.
[codex:1211210]      2	Note: without verified source, conclusions are low-confidence unless a concrete pattern is visible.
[codex:1211210]      3	
[codex:1211210]      4	FILE: runtime_bytecode.hex
[codex:1211210]      5	0x608060405261000c61000e565b005b61001e610019610020565b6101ee565b565b60408051600481526024810182526020810180517bffffffffffffffffffffffffffffffffffffffffffffffffffffffff167f5c60da1b0000000000000000000000000000000000000000000000000000000017905290516000918291829173ffffffffffffffffffffffffffffffffffffffff7f000000000000000000000000ea623eebd9c5bfd56067e36c89db0c13e6c70ba816916100c19190610212565b600060405180830381855afa9150503d80600081146100fc576040519150601f19603f3d011682016040523d82523d6000602084013e610101565b606091505b50915091508161013d576040517f73a769bf00000000000000000000000000000000000000000000000000000000815260040160405180910390fd5b80516020146101865780516040517f7ce64c7800000000000000000000000000000000000000000000000000000000815260040161017d91815260200190565b60405180910390fd5b8080602001905181019061019a9190610241565b925073ffffffffffffffffffffffffffffffffffffffff83166101e9576040517ffb678c3000000000000000000000000000000000000000000000000000000000815260040160405180910390fd5b505090565b3660008037600080366000845af43d6000803e80801561020d573d6000f35b3d6000fd5b6000825160005b818110156102335760208186018101518583015201610219565b506000920191825250919050565b60006020828403121561025357600080fd5b815173ffffffffffffffffffffffffffffffffffffffff8116811461027757600080fd5b939250505056fea2646970667358221220faa02c8dbc06828a990393ba969bcbd1ea1639570ce9fd9adc1561125b0012f964736f6c63430008160033
[codex:1211210] 
[codex:1211210] thinking
[codex:1211210] **Analyzing bytecode for upgradeability risks**
[codex:1211210] codex
[codex:1211210] {"no_findings":false,"summary":"Bytecode implements a proxy that resolves its implementation via a hardcoded external beacon/registry and then delegatecalls to it; this introduces an upgrade/trust dependency on that external address.","findings":[{"severity":"info","category":"upgradeability","title":"Implementation resolved from hardcoded external beacon address","exploit_scenario":"The runtime performs a STATICCALL to the hardcoded address 0xea623eebd9c5bfd56067e36c89db0c13e6c70ba8 with selector 0x5c60da1b, then DELEGATECALLs to the returned implementation. If that beacon/registry is upgradeable or compromised, it can return a malicious implementation and take over all proxy logic, enabling theft or state corruption.","recommendation":"Assess who controls the beacon at 0xea623eebd9c5bfd56067e36c89db0c13e6c70ba8 and ensure strong upgrade governance (multisig/timelock). If immutability is required, use a fixed implementation address or disable upgrades.","evidence":"Bytecode embeds the beacon address and makes a STATICCALL followed by DELEGATECALL (e.g., `...7f000000000000000000000000ea623eebd9c5bfd56067e36c89db0c13e6c70ba8...fa...5af4...`), indicating implementation is fetched externally each call.","locations":["BYTECODE_BUNDLE.txt:5"]}]}
[codex:1211210] tokens used
[codex:1211210] 22,129
[codex:1211210] {"no_findings":false,"summary":"Bytecode implements a proxy that resolves its implementation via a hardcoded external beacon/registry and then delegatecalls to it; this introduces an upgrade/trust dependency on that external address.","findings":[{"severity":"info","category":"upgradeability","title":"Implementation resolved from hardcoded external beacon address","exploit_scenario":"The runtime performs a STATICCALL to the hardcoded address 0xea623eebd9c5bfd56067e36c89db0c13e6c70ba8 with selector 0x5c60da1b, then DELEGATECALLs to the returned implementation. If that beacon/registry is upgradeable or compromised, it can return a malicious implementation and take over all proxy logic, enabling theft or state corruption.","recommendation":"Assess who controls the beacon at 0xea623eebd9c5bfd56067e36c89db0c13e6c70ba8 and ensure strong upgrade governance (multisig/timelock). If immutability is required, use a fixed implementation address or disable upgrades.","evidence":"Bytecode embeds the beacon address and makes a STATICCALL followed by DELEGATECALL (e.g., `...7f000000000000000000000000ea623eebd9c5bfd56067e36c89db0c13e6c70ba8...fa...5af4...`), indicating implementation is fetched externally each call.","locations":["BYTECODE_BUNDLE.txt:5"]}]}
Metadata 
{
    "codex": {
        "ran_at": "2025-12-29T08:55:32.807464+00:00",
        "returncode": 0
    },
    "summary": "Bytecode implements a proxy that resolves its implementation via a hardcoded external beacon/registry and then delegatecalls to it; this introduces an upgrade/trust dependency on that external address.",
    "raw_final": {
        "summary": "Bytecode implements a proxy that resolves its implementation via a hardcoded external beacon/registry and then delegatecalls to it; this introduces an upgrade/trust dependency on that external address.",
        "findings": [
            {
                "title": "Implementation resolved from hardcoded external beacon address",
                "category": "upgradeability",
                "evidence": "Bytecode embeds the beacon address and makes a STATICCALL followed by DELEGATECALL (e.g., `...7f000000000000000000000000ea623eebd9c5bfd56067e36c89db0c13e6c70ba8...fa...5af4...`), indicating implementation is fetched externally each call.",
                "severity": "info",
                "locations": [
                    "BYTECODE_BUNDLE.txt:5"
                ],
                "recommendation": "Assess who controls the beacon at 0xea623eebd9c5bfd56067e36c89db0c13e6c70ba8 and ensure strong upgrade governance (multisig/timelock). If immutability is required, use a fixed implementation address or disable upgrades.",
                "exploit_scenario": "The runtime performs a STATICCALL to the hardcoded address 0xea623eebd9c5bfd56067e36c89db0c13e6c70ba8 with selector 0x5c60da1b, then DELEGATECALLs to the returned implementation. If that beacon/registry is upgradeable or compromised, it can return a malicious implementation and take over all proxy logic, enabling theft or state corruption."
            }
        ],
        "no_findings": false
    },
    "no_findings": false,
    "schema_version": 1
}

Opcode Heuristics

tool.cast_disasm
Delegatecall
1
Selfdestruct
0
CREATE2
0
CALL-family (heavy)
2
EXT*/BALANCE
0
Total opcodes
347
Flags
delegatecall_present
View cast disassembly output 
00000000: PUSH1 0x80
00000002: PUSH1 0x40
00000004: MSTORE
00000005: PUSH2 0x000c
00000008: PUSH2 0x000e
0000000b: JUMP
0000000c: JUMPDEST
0000000d: STOP
0000000e: JUMPDEST
0000000f: PUSH2 0x001e
00000012: PUSH2 0x0019
00000015: PUSH2 0x0020
00000018: JUMP
00000019: JUMPDEST
0000001a: PUSH2 0x01ee
0000001d: JUMP
0000001e: JUMPDEST
0000001f: JUMP
00000020: JUMPDEST
00000021: PUSH1 0x40
00000023: DUP1
00000024: MLOAD
00000025: PUSH1 0x04
00000027: DUP2
00000028: MSTORE
00000029: PUSH1 0x24
0000002b: DUP2
0000002c: ADD
0000002d: DUP3
0000002e: MSTORE
0000002f: PUSH1 0x20
00000031: DUP2
00000032: ADD
00000033: DUP1
00000034: MLOAD
00000035: PUSH28 0xffffffffffffffffffffffffffffffffffffffffffffffffffffffff
00000052: AND
00000053: PUSH32 0x5c60da1b00000000000000000000000000000000000000000000000000000000
00000074: OR
00000075: SWAP1
00000076: MSTORE
00000077: SWAP1
00000078: MLOAD
00000079: PUSH1 0x00
0000007b: SWAP2
0000007c: DUP3
0000007d: SWAP2
0000007e: DUP3
0000007f: SWAP2
00000080: PUSH20 0xffffffffffffffffffffffffffffffffffffffff
00000095: PUSH32 0x000000000000000000000000ea623eebd9c5bfd56067e36c89db0c13e6c70ba8
000000b6: AND
000000b7: SWAP2
000000b8: PUSH2 0x00c1
000000bb: SWAP2
000000bc: SWAP1
000000bd: PUSH2 0x0212
000000c0: JUMP
000000c1: JUMPDEST
000000c2: PUSH1 0x00
000000c4: PUSH1 0x40
000000c6: MLOAD
000000c7: DUP1
000000c8: DUP4
000000c9: SUB
000000ca: DUP2
000000cb: DUP6
000000cc: GAS
000000cd: STATICCALL
000000ce: SWAP2
000000cf: POP
000000d0: POP
000000d1: RETURNDATASIZE
000000d2: DUP1
000000d3: PUSH1 0x00
000000d5: DUP2
000000d6: EQ
000000d7: PUSH2 0x00fc
000000da: JUMPI
000000db: PUSH1 0x40
000000dd: MLOAD
000000de: SWAP2
000000df: POP
000000e0: PUSH1 0x1f
000000e2: NOT
000000e3: PUSH1 0x3f
000000e5: RETURNDATASIZE
000000e6: ADD
000000e7: AND
000000e8: DUP3
000000e9: ADD
000000ea: PUSH1 0x40
000000ec: MSTORE
000000ed: RETURNDATASIZE
000000ee: DUP3
000000ef: MSTORE
000000f0: RETURNDATASIZE
000000f1: PUSH1 0x00
000000f3: PUSH1 0x20
000000f5: DUP5
000000f6: ADD
000000f7: RETURNDATACOPY
000000f8: PUSH2 0x0101
000000fb: JUMP
000000fc: JUMPDEST
000000fd: PUSH1 0x60
000000ff: SWAP2
00000100: POP
00000101: JUMPDEST
00000102: POP
00000103: SWAP2
00000104: POP
00000105: SWAP2
00000106: POP
00000107: DUP2
00000108: PUSH2 0x013d
0000010b: JUMPI
0000010c: PUSH1 0x40
0000010e: MLOAD
0000010f: PUSH32 0x73a769bf00000000000000000000000000000000000000000000000000000000
00000130: DUP2
00000131: MSTORE
00000132: PUSH1 0x04
00000134: ADD
00000135: PUSH1 0x40
00000137: MLOAD
00000138: DUP1
00000139: SWAP2
0000013a: SUB
0000013b: SWAP1
0000013c: REVERT
0000013d: JUMPDEST
0000013e: DUP1
0000013f: MLOAD
00000140: PUSH1 0x20
00000142: EQ
00000143: PUSH2 0x0186
00000146: JUMPI
00000147: DUP1
00000148: MLOAD
00000149: PUSH1 0x40
0000014b: MLOAD
0000014c: PUSH32 0x7ce64c7800000000000000000000000000000000000000000000000000000000
0000016d: DUP2
0000016e: MSTORE
0000016f: PUSH1 0x04
00000171: ADD
00000172: PUSH2 0x017d
00000175: SWAP2
00000176: DUP2
00000177: MSTORE
00000178: PUSH1 0x20
0000017a: ADD
0000017b: SWAP1
0000017c: JUMP
0000017d: JUMPDEST
0000017e: PUSH1 0x40
00000180: MLOAD
00000181: DUP1
00000182: SWAP2
00000183: SUB
00000184: SWAP1
00000185: REVERT
00000186: JUMPDEST
00000187: DUP1
00000188: DUP1
00000189: PUSH1 0x20
0000018b: ADD
0000018c: SWAP1
0000018d: MLOAD
0000018e: DUP2
0000018f: ADD
00000190: SWAP1
00000191: PUSH2 0x019a
00000194: SWAP2
00000195: SWAP1
00000196: PUSH2 0x0241
00000199: JUMP
0000019a: JUMPDEST
0000019b: SWAP3
0000019c: POP
0000019d: PUSH20 0xffffffffffffffffffffffffffffffffffffffff
000001b2: DUP4
000001b3: AND
000001b4: PUSH2 0x01e9
000001b7: JUMPI
000001b8: PUSH1 0x40
000001ba: MLOAD
000001bb: PUSH32 0xfb678c3000000000000000000000000000000000000000000000000000000000
000001dc: DUP2
000001dd: MSTORE
000001de: PUSH1 0x04
000001e0: ADD
000001e1: PUSH1 0x40
000001e3: MLOAD
000001e4: DUP1
000001e5: SWAP2
000001e6: SUB
000001e7: SWAP1
000001e8: REVERT
000001e9: JUMPDEST
000001ea: POP
000001eb: POP
000001ec: SWAP1
000001ed: JUMP
000001ee: JUMPDEST
000001ef: CALLDATASIZE
000001f0: PUSH1 0x00
000001f2: DUP1
000001f3: CALLDATACOPY
000001f4: PUSH1 0x00
000001f6: DUP1
000001f7: CALLDATASIZE
000001f8: PUSH1 0x00
000001fa: DUP5
000001fb: GAS
000001fc: DELEGATECALL
000001fd: RETURNDATASIZE
000001fe: PUSH1 0x00
00000200: DUP1
00000201: RETURNDATACOPY
00000202: DUP1
00000203: DUP1
00000204: ISZERO
00000205: PUSH2 0x020d
00000208: JUMPI
00000209: RETURNDATASIZE
0000020a: PUSH1 0x00
0000020c: RETURN
0000020d: JUMPDEST
0000020e: RETURNDATASIZE
0000020f: PUSH1 0x00
00000211: REVERT
00000212: JUMPDEST
00000213: PUSH1 0x00
00000215: DUP3
00000216: MLOAD
00000217: PUSH1 0x00
00000219: JUMPDEST
0000021a: DUP2
0000021b: DUP2
0000021c: LT
0000021d: ISZERO
0000021e: PUSH2 0x0233
00000221: JUMPI
00000222: PUSH1 0x20
00000224: DUP2
00000225: DUP7
00000226: ADD
00000227: DUP2
00000228: ADD
00000229: MLOAD
0000022a: DUP6
0000022b: DUP4
0000022c: ADD
0000022d: MSTORE
0000022e: ADD
0000022f: PUSH2 0x0219
00000232: JUMP
00000233: JUMPDEST
00000234: POP
00000235: PUSH1 0x00
00000237: SWAP3
00000238: ADD
00000239: SWAP2
0000023a: DUP3
0000023b: MSTORE
0000023c: POP
0000023d: SWAP2
0000023e: SWAP1
0000023f: POP
00000240: JUMP
00000241: JUMPDEST
00000242: PUSH1 0x00
00000244: PUSH1 0x20
00000246: DUP3
00000247: DUP5
00000248: SUB
00000249: SLT
0000024a: ISZERO
0000024b: PUSH2 0x0253
0000024e: JUMPI
0000024f: PUSH1 0x00
00000251: DUP1
00000252: REVERT
00000253: JUMPDEST
00000254: DUP2
00000255: MLOAD
00000256: PUSH20 0xffffffffffffffffffffffffffffffffffffffff
0000026b: DUP2
0000026c: AND
0000026d: DUP2
0000026e: EQ
0000026f: PUSH2 0x0277
00000272: JUMPI
00000273: PUSH1 0x00
00000275: DUP1
00000276: REVERT
00000277: JUMPDEST
00000278: SWAP4
00000279: SWAP3
0000027a: POP
0000027b: POP
0000027c: POP
0000027d: JUMP
0000027e: INVALID
0000027f: LOG2
00000280: PUSH5 0x6970667358
00000286: UNKNOWN(0x22)
00000287: SLT
00000288: KECCAK256
00000289: STATICCALL
0000028a: LOG0
0000028b: UNKNOWN(0x2C)
0000028c: DUP14
0000028d: UNKNOWN(0xBC)
0000028e: MOD
0000028f: DUP3
00000290: DUP11
00000291: SWAP10
00000292: SUB
00000293: SWAP4
00000294: UNKNOWN(0xBA)
00000295: SWAP7
00000296: SWAP12
00000297: UNKNOWN(0xCB)
00000298: UNKNOWN(0xD1)
00000299: UNKNOWN(0xEA)
0000029a: AND
0000029b: CODECOPY
0000029c: JUMPI
0000029d: UNKNOWN(0x0C)
0000029e: UNKNOWN(0xE9)
0000029f: REVERT
000002a0: SWAP11
000002a1: UNKNOWN(0xDC)
000002a2: ISZERO
000002a3: PUSH2 0x125b
000002a6: STOP
000002a7: SLT
000002a8: UNKNOWN(0xF9)
000002a9: PUSH5 0x736f6c6343
000002af: STOP
000002b0: ADDMOD
000002b1: AND
000002b2: STOP
000002b3: CALLER

Findings

validated = confirmed for call sinks; sink observed for others
Severity Category Tool Title Confidence Validated Confirmed Details
critical upgradeability detector Untrusted DELEGATECALL target reachable 70 yes yes
view
trace_id: 0xf16f8045df9aaecc9495827980eca94679911db91ca67348336ccec12088028d
call_targets: 0x3483ded1f1ebf8f665229cfa7e4a732c8de1487c, 0x9cd84e2587a78b424ec913ac3fa23ca810e91776
target_varies: yes
classification: target_varies
validation_json 
{
    "sink": "DELEGATECALL",
    "errors": 0,
    "status": "confirmed",
    "attempts": 1,
    "trace_id": "0xf16f8045df9aaecc9495827980eca94679911db91ca67348336ccec12088028d",
    "confirmed": true,
    "trace_mode": "callTracer",
    "call_targets": [
        "0x3483ded1f1ebf8f665229cfa7e4a732c8de1487c",
        "0x9cd84e2587a78b424ec913ac3fa23ca810e91776"
    ],
    "matched_probe": null,
    "target_varies": true,
    "classification": "target_varies"
}
witness_json 
{
    "notes": "heuristic witness; entrypoints are best-effort selectors with zeroed calldata",
    "constraints": [],
    "entrypoints": [
        {
            "calldata": "0x",
            "selector": "fallback",
            "calldata_variants": [
                "0x"
            ]
        }
    ]
}
evidence_json 
{
    "examples": [
        {
            "pc": 508,
            "opcode": "DELEGATECALL",
            "returndata_checked": null,
            "value_expression_category": "n/a",
            "target_expression_category": "computed"
        }
    ],
    "guards_detected": [],
    "delegatecall_count": 1,
    "untrusted_delegatecall_count": 1
}
medium upgradeability cast DELEGATECALL present 80 no
view
evidence_json 
{
    "notes": "delegatecall enables execution in caller context; common in proxies/upgradeable patterns",
    "delegatecall_count": 1
}
info upgradeability codex Implementation resolved from hardcoded external beacon address 60 no
view
evidence_json 
{
    "evidence": "Bytecode embeds the beacon address and makes a STATICCALL followed by DELEGATECALL (e.g., `...7f000000000000000000000000ea623eebd9c5bfd56067e36c89db0c13e6c70ba8...fa...5af4...`), indicating implementation is fetched externally each call.",
    "locations": [
        "BYTECODE_BUNDLE.txt:5"
    ],
    "recommendation": "Assess who controls the beacon at 0xea623eebd9c5bfd56067e36c89db0c13e6c70ba8 and ensure strong upgrade governance (multisig/timelock). If immutability is required, use a fixed implementation address or disable upgrades.",
    "exploit_scenario": "The runtime performs a STATICCALL to the hardcoded address 0xea623eebd9c5bfd56067e36c89db0c13e6c70ba8 with selector 0x5c60da1b, then DELEGATECALLs to the returned implementation. If that beacon/registry is upgradeable or compromised, it can return a malicious implementation and take over all proxy logic, enabling theft or state corruption."
}