TW
Tripwire
Find contracts. Test them. Review real vulns.

Analysis Run

da09a895-da60-46f6-92dd-2d365b3161b9

complete
Chain ID
1
Address
0x821ab5215e7970480d1d9c145632e5c15d3b8bbb
Block Number
Created
Thu, Jan 1, 2026 2:12 PM
Review Summary

What survived the funnel

Open this run to answer one question: is this real attacker-relevant behavior with real impact, or just normal contract plumbing?

back to vulns open contract
Confirmed
0
Validated
0
Source
Verified
Review Backing
Present
Best current signal
Plaintext answer exposure lets any EOA drain the full balance
crit 0 high 0 direct contract
Review Checklist
1. Read the findings table first. Ignore raw jobs until the result looks real.
2. Confirm attacker control, not just the existence of a sink.
3. Confirm money or privilege impact.
4. Keep it if the behavior is real. Kill it if this is normal proxy, admin, or upgrade plumbing.

Processing Jobs

Status & attempts
ID Type Status Attempts Heartbeat
31033 report.consolidate complete 1 / 1 3 months ago
76012 artifact.fetch complete 1 / 3 1 week ago
76013 tool.cast_disasm complete 1 / 3 1 week ago
76014 analysis.bundle complete 1 / 3 1 week ago
76015 capability.graph complete 1 / 3 1 week ago
76016 detector.run complete 1 / 3 1 week ago
76017 validation.fork complete 1 / 3 1 week ago

Artifact

Runtime bytecode: available
Creation TX:
Deployer:
Proxy: no
Implementation:
Verified Source: yes

Slither

tool.slither

No slither job recorded yet.

Codex

report.consolidate
Job Status
complete
Attempts
1 / 1
Findings
1
No findings?
no
Summary
Plaintext quiz answer is revealed on-chain in Start, enabling anyone to claim the full contract balance via Try.
View stderr 
[codex:8513995] OpenAI Codex v0.77.0 (research preview)
[codex:8513995] --------
[codex:8513995] workdir: /tmp/codex-multi-bbo14oyn
[codex:8513995] model: gpt-5.2-codex
[codex:8513995] provider: openai
[codex:8513995] approval: never
[codex:8513995] sandbox: read-only
[codex:8513995] reasoning effort: xhigh
[codex:8513995] reasoning summaries: auto
[codex:8513995] session id: 019b79e6-42ad-7d73-bd41-1578fd38fc1b
[codex:8513995] --------
[codex:8513995] user
[codex:8513995] You are a profit-focused exploit hunter. Your ONLY goal is finding ways to extract value (ETH, tokens, NFTs) from this contract.
[codex:8513995] 
[codex:8513995] Read `AUDIT_BUNDLE.txt` completely before concluding. Treat `lib/` and `@openzeppelin/` as trusted unless misused.
[codex:8513995] 
[codex:8513995] ONLY REPORT if you find a CONCRETE, EXPLOITABLE path to profit. We do NOT care about:
[codex:8513995] - Gas inefficiency, code quality, naming, or best practices
[codex:8513995] - Theoretical vulnerabilities without a clear extraction path
[codex:8513995] - Centralization risks (admin can rug) - assume admin keys are secure
[codex:8513995] - Front-running unless it enables theft beyond MEV
[codex:8513995] - DoS, griefing, or issues that don't result in attacker profit
[codex:8513995] - Missing events, view function issues, or informational findings
[codex:8513995] 
[codex:8513995] HIGH-VALUE PATTERNS TO HUNT:
[codex:8513995] - Reentrancy: external calls before state updates that allow double-withdrawal
[codex:8513995] - Access control: missing/bypassable auth on withdraw, transfer, or mint functions
[codex:8513995] - Flash loan attacks: borrow -> manipulate -> profit in single tx
[codex:8513995] - Price oracle manipulation: TWAP with short window, spot price reads, stale prices
[codex:8513995] - Signature replay: missing nonce, chainId, or deadline in permit/meta-tx
[codex:8513995] - Proxy hijacking: unprotected initialize(), storage collision, UUPS without auth
[codex:8513995] - Accounting errors: rounding that favors attacker, share inflation, first depositor attacks
[codex:8513995] - Unchecked external calls: return value ignored on token transfers enabling fake tokens
[codex:8513995] - Cross-function reentrancy: state read in function A, modified via reentrant call, used stale in A
[codex:8513995] 
[codex:8513995] For each finding, you MUST provide:
[codex:8513995] 1. Exact file and line numbers of vulnerable code
[codex:8513995] 2. Step-by-step exploit transaction sequence
[codex:8513995] 3. Estimated profit potential (order of magnitude: contract balance, LP reserves, etc.)
[codex:8513995] 
[codex:8513995] If no concrete profit path exists: set no_findings=true. Do NOT pad with low-severity noise.
[codex:8513995] 
[codex:8513995] Output MUST be valid JSON matching the provided schema.
[codex:8513995] - severity: info, low, medium, high, critical (use high/critical ONLY for clear extraction paths)
[codex:8513995] - category: access_control, reentrancy, math, oracle, upgradeability, auth, other
[codex:8513995] mcp startup: no servers
[codex:8513995] 
[codex:8513995] thinking
[codex:8513995] **Preparing to read audit file**
[codex:8513995] exec
[codex:8513995] /bin/bash -lc ls in /tmp/codex-multi-bbo14oyn succeeded in 5ms:
[codex:8513995] AUDIT_BUNDLE.txt
[codex:8513995] codex-output-schema.json
[codex:8513995] contracts
[codex:8513995] exec
[codex:8513995] /bin/bash -lc 'cat AUDIT_BUNDLE.txt' in /tmp/codex-multi-bbo14oyn succeeded in 5ms:
[codex:8513995] This file concatenates first-party Solidity sources only (lib/@openzeppelin excluded).
[codex:8513995] 
[codex:8513995] ================================================================================
[codex:8513995] FILE: contracts/Contract.sol
[codex:8513995] ================================================================================
[codex:8513995] contract PI_QUIZ
[codex:8513995] {
[codex:8513995]     function Try(string memory _response) public payable
[codex:8513995]     {
[codex:8513995]         require(msg.sender == tx.origin);
[codex:8513995] 
[codex:8513995]         if(responseHash == keccak256(abi.encode(_response)) && msg.value > 1 ether)
[codex:8513995]         {
[codex:8513995]             payable(msg.sender).transfer(address(this).balance);
[codex:8513995]         }
[codex:8513995]     }
[codex:8513995] 
[codex:8513995]     string public question;
[codex:8513995] 
[codex:8513995]     bytes32 responseHash;
[codex:8513995] 
[codex:8513995] thinking
[codex:8513995] **Analyzing potential exploit via on-chain response exposure**
[codex:8513995] exec
[codex:8513995] /bin/bash -lc 'nl -ba contracts/Contract.sol' in /tmp/codex-multi-bbo14oyn succeeded in 5ms:
[codex:8513995]      1	contract PI_QUIZ
[codex:8513995]      2	{
[codex:8513995]      3	    function Try(string memory _response) public payable
[codex:8513995]      4	    {
[codex:8513995]      5	        require(msg.sender == tx.origin);
[codex:8513995]      6	
[codex:8513995]      7	        if(responseHash == keccak256(abi.encode(_response)) && msg.value > 1 ether)
[codex:8513995]      8	        {
[codex:8513995]      9	            payable(msg.sender).transfer(address(this).balance);
[codex:8513995]     10	        }
[codex:8513995]     11	    }
[codex:8513995]     12	
[codex:8513995]     13	    string public question;
[codex:8513995]     14	
[codex:8513995]     15	    bytes32 responseHash;
[codex:8513995]     16	
[codex:8513995]     17	    mapping (bytes32=>bool) admin;
[codex:8513995]     18	
[codex:8513995]     19	    function Start(string calldata _question, string calldata _response) public payable isAdmin{
[codex:8513995]     20	        if(responseHash==0x0){
[codex:8513995] 
[codex:8513995] thinking
[codex:8513995] **Preparing detailed vulnerability report**
[codex:8513995] codex
[codex:8513995] {"no_findings":false,"summary":"Plaintext quiz answer is revealed on-chain in Start, enabling anyone to claim the full contract balance via Try.","findings":[{"severity":"high","category":"other","title":"Plaintext answer exposure lets any EOA drain the full balance","exploit_scenario":"1) Monitor mempool or chain for an admin calling Start and read the _response string directly from calldata. 2) Compute keccak256(abi.encode(_response)) locally. 3) Call Try from an EOA with the same _response and send >1 ether. 4) The contract transfers its entire balance to the attacker.","recommendation":"Never publish the plaintext answer on-chain. Use a commit-reveal scheme or only set the precomputed hash via New, and remove/disable Start or require the answer to be provided off-chain.","evidence":"Start stores keccak256(abi.encode(_response)) of a plaintext _response supplied in calldata, and Try pays out the entire balance when a caller submits that response with >1 ether.","locations":["contracts/Contract.sol:19","contracts/Contract.sol:7"]}]}
[codex:8513995] tokens used
[codex:8513995] 13,102
[codex:8513995] {"no_findings":false,"summary":"Plaintext quiz answer is revealed on-chain in Start, enabling anyone to claim the full contract balance via Try.","findings":[{"severity":"high","category":"other","title":"Plaintext answer exposure lets any EOA drain the full balance","exploit_scenario":"1) Monitor mempool or chain for an admin calling Start and read the _response string directly from calldata. 2) Compute keccak256(abi.encode(_response)) locally. 3) Call Try from an EOA with the same _response and send >1 ether. 4) The contract transfers its entire balance to the attacker.","recommendation":"Never publish the plaintext answer on-chain. Use a commit-reveal scheme or only set the precomputed hash via New, and remove/disable Start or require the answer to be provided off-chain.","evidence":"Start stores keccak256(abi.encode(_response)) of a plaintext _response supplied in calldata, and Try pays out the entire balance when a caller submits that response with >1 ether.","locations":["contracts/Contract.sol:19","contracts/Contract.sol:7"]}]}
Metadata 
{
    "codex": {
        "ran_at": "2026-01-01T14:12:05.688883+00:00",
        "returncode": 0
    },
    "summary": "Plaintext quiz answer is revealed on-chain in Start, enabling anyone to claim the full contract balance via Try.",
    "raw_final": {
        "summary": "Plaintext quiz answer is revealed on-chain in Start, enabling anyone to claim the full contract balance via Try.",
        "findings": [
            {
                "title": "Plaintext answer exposure lets any EOA drain the full balance",
                "category": "other",
                "evidence": "Start stores keccak256(abi.encode(_response)) of a plaintext _response supplied in calldata, and Try pays out the entire balance when a caller submits that response with >1 ether.",
                "severity": "high",
                "locations": [
                    "contracts/Contract.sol:19",
                    "contracts/Contract.sol:7"
                ],
                "recommendation": "Never publish the plaintext answer on-chain. Use a commit-reveal scheme or only set the precomputed hash via New, and remove/disable Start or require the answer to be provided off-chain.",
                "exploit_scenario": "1) Monitor mempool or chain for an admin calling Start and read the _response string directly from calldata. 2) Compute keccak256(abi.encode(_response)) locally. 3) Call Try from an EOA with the same _response and send >1 ether. 4) The contract transfers its entire balance to the attacker."
            }
        ],
        "no_findings": false
    },
    "no_findings": false,
    "schema_version": 1
}

Opcode Heuristics

tool.cast_disasm
Delegatecall
0
Selfdestruct
0
CREATE2
0
CALL-family (heavy)
2
EXT*/BALANCE
0
Total opcodes
1321
Flags
No heuristic flags raised.
View cast disassembly output 
00000000: PUSH1 0x80
00000002: PUSH1 0x40
00000004: MSTORE
00000005: PUSH1 0x04
00000007: CALLDATASIZE
00000008: LT
00000009: PUSH2 0x004a
0000000c: JUMPI
0000000d: PUSH1 0x00
0000000f: CALLDATALOAD
00000010: PUSH1 0xe0
00000012: SHR
00000013: DUP1
00000014: PUSH4 0x3853682c
00000019: EQ
0000001a: PUSH2 0x0058
0000001d: JUMPI
0000001e: DUP1
0000001f: PUSH4 0x3fad9ae0
00000024: EQ
00000025: PUSH2 0x006b
00000028: JUMPI
00000029: DUP1
0000002a: PUSH4 0xbedf0f4a
0000002f: EQ
00000030: PUSH2 0x0096
00000033: JUMPI
00000034: DUP1
00000035: PUSH4 0xc76de3e9
0000003a: EQ
0000003b: PUSH2 0x009e
0000003e: JUMPI
0000003f: DUP1
00000040: PUSH4 0xed8df164
00000045: EQ
00000046: PUSH2 0x00b1
00000049: JUMPI
0000004a: JUMPDEST
0000004b: CALLVALUE
0000004c: DUP1
0000004d: ISZERO
0000004e: PUSH2 0x0056
00000051: JUMPI
00000052: PUSH1 0x00
00000054: DUP1
00000055: REVERT
00000056: JUMPDEST
00000057: STOP
00000058: JUMPDEST
00000059: PUSH2 0x0056
0000005c: PUSH2 0x0066
0000005f: CALLDATASIZE
00000060: PUSH1 0x04
00000062: PUSH2 0x0371
00000065: JUMP
00000066: JUMPDEST
00000067: PUSH2 0x00c4
0000006a: JUMP
0000006b: JUMPDEST
0000006c: CALLVALUE
0000006d: DUP1
0000006e: ISZERO
0000006f: PUSH2 0x0077
00000072: JUMPI
00000073: PUSH1 0x00
00000075: DUP1
00000076: REVERT
00000077: JUMPDEST
00000078: POP
00000079: PUSH2 0x0080
0000007c: PUSH2 0x0144
0000007f: JUMP
00000080: JUMPDEST
00000081: PUSH1 0x40
00000083: MLOAD
00000084: PUSH2 0x008d
00000087: SWAP2
00000088: SWAP1
00000089: PUSH2 0x0422
0000008c: JUMP
0000008d: JUMPDEST
0000008e: PUSH1 0x40
00000090: MLOAD
00000091: DUP1
00000092: SWAP2
00000093: SUB
00000094: SWAP1
00000095: RETURN
00000096: JUMPDEST
00000097: PUSH2 0x0056
0000009a: PUSH2 0x01d2
0000009d: JUMP
0000009e: JUMPDEST
0000009f: PUSH2 0x0056
000000a2: PUSH2 0x00ac
000000a5: CALLDATASIZE
000000a6: PUSH1 0x04
000000a8: PUSH2 0x04b9
000000ab: JUMP
000000ac: JUMPDEST
000000ad: PUSH2 0x0257
000000b0: JUMP
000000b1: JUMPDEST
000000b2: PUSH2 0x0056
000000b5: PUSH2 0x00bf
000000b8: CALLDATASIZE
000000b9: PUSH1 0x04
000000bb: PUSH2 0x0525
000000be: JUMP
000000bf: JUMPDEST
000000c0: PUSH2 0x02f5
000000c3: JUMP
000000c4: JUMPDEST
000000c5: CALLER
000000c6: ORIGIN
000000c7: EQ
000000c8: PUSH2 0x00d0
000000cb: JUMPI
000000cc: PUSH1 0x00
000000ce: DUP1
000000cf: REVERT
000000d0: JUMPDEST
000000d1: DUP1
000000d2: PUSH1 0x40
000000d4: MLOAD
000000d5: PUSH1 0x20
000000d7: ADD
000000d8: PUSH2 0x00e1
000000db: SWAP2
000000dc: SWAP1
000000dd: PUSH2 0x0422
000000e0: JUMP
000000e1: JUMPDEST
000000e2: PUSH1 0x40
000000e4: MLOAD
000000e5: PUSH1 0x20
000000e7: DUP2
000000e8: DUP4
000000e9: SUB
000000ea: SUB
000000eb: DUP2
000000ec: MSTORE
000000ed: SWAP1
000000ee: PUSH1 0x40
000000f0: MSTORE
000000f1: DUP1
000000f2: MLOAD
000000f3: SWAP1
000000f4: PUSH1 0x20
000000f6: ADD
000000f7: KECCAK256
000000f8: PUSH1 0x01
000000fa: SLOAD
000000fb: EQ
000000fc: DUP1
000000fd: ISZERO
000000fe: PUSH2 0x010e
00000101: JUMPI
00000102: POP
00000103: PUSH8 0x0de0b6b3a7640000
0000010c: CALLVALUE
0000010d: GT
0000010e: JUMPDEST
0000010f: ISZERO
00000110: PUSH2 0x0141
00000113: JUMPI
00000114: PUSH1 0x40
00000116: MLOAD
00000117: CALLER
00000118: SWAP1
00000119: SELFBALANCE
0000011a: DUP1
0000011b: ISZERO
0000011c: PUSH2 0x08fc
0000011f: MUL
00000120: SWAP2
00000121: PUSH1 0x00
00000123: DUP2
00000124: DUP2
00000125: DUP2
00000126: DUP6
00000127: DUP9
00000128: DUP9
00000129: CALL
0000012a: SWAP4
0000012b: POP
0000012c: POP
0000012d: POP
0000012e: POP
0000012f: ISZERO
00000130: DUP1
00000131: ISZERO
00000132: PUSH2 0x013f
00000135: JUMPI
00000136: RETURNDATASIZE
00000137: PUSH1 0x00
00000139: DUP1
0000013a: RETURNDATACOPY
0000013b: RETURNDATASIZE
0000013c: PUSH1 0x00
0000013e: REVERT
0000013f: JUMPDEST
00000140: POP
00000141: JUMPDEST
00000142: POP
00000143: JUMP
00000144: JUMPDEST
00000145: PUSH1 0x00
00000147: DUP1
00000148: SLOAD
00000149: PUSH2 0x0151
0000014c: SWAP1
0000014d: PUSH2 0x0571
00000150: JUMP
00000151: JUMPDEST
00000152: DUP1
00000153: PUSH1 0x1f
00000155: ADD
00000156: PUSH1 0x20
00000158: DUP1
00000159: SWAP2
0000015a: DIV
0000015b: MUL
0000015c: PUSH1 0x20
0000015e: ADD
0000015f: PUSH1 0x40
00000161: MLOAD
00000162: SWAP1
00000163: DUP2
00000164: ADD
00000165: PUSH1 0x40
00000167: MSTORE
00000168: DUP1
00000169: SWAP3
0000016a: SWAP2
0000016b: SWAP1
0000016c: DUP2
0000016d: DUP2
0000016e: MSTORE
0000016f: PUSH1 0x20
00000171: ADD
00000172: DUP3
00000173: DUP1
00000174: SLOAD
00000175: PUSH2 0x017d
00000178: SWAP1
00000179: PUSH2 0x0571
0000017c: JUMP
0000017d: JUMPDEST
0000017e: DUP1
0000017f: ISZERO
00000180: PUSH2 0x01ca
00000183: JUMPI
00000184: DUP1
00000185: PUSH1 0x1f
00000187: LT
00000188: PUSH2 0x019f
0000018b: JUMPI
0000018c: PUSH2 0x0100
0000018f: DUP1
00000190: DUP4
00000191: SLOAD
00000192: DIV
00000193: MUL
00000194: DUP4
00000195: MSTORE
00000196: SWAP2
00000197: PUSH1 0x20
00000199: ADD
0000019a: SWAP2
0000019b: PUSH2 0x01ca
0000019e: JUMP
0000019f: JUMPDEST
000001a0: DUP3
000001a1: ADD
000001a2: SWAP2
000001a3: SWAP1
000001a4: PUSH1 0x00
000001a6: MSTORE
000001a7: PUSH1 0x20
000001a9: PUSH1 0x00
000001ab: KECCAK256
000001ac: SWAP1
000001ad: JUMPDEST
000001ae: DUP2
000001af: SLOAD
000001b0: DUP2
000001b1: MSTORE
000001b2: SWAP1
000001b3: PUSH1 0x01
000001b5: ADD
000001b6: SWAP1
000001b7: PUSH1 0x20
000001b9: ADD
000001ba: DUP1
000001bb: DUP4
000001bc: GT
000001bd: PUSH2 0x01ad
000001c0: JUMPI
000001c1: DUP3
000001c2: SWAP1
000001c3: SUB
000001c4: PUSH1 0x1f
000001c6: AND
000001c7: DUP3
000001c8: ADD
000001c9: SWAP2
000001ca: JUMPDEST
000001cb: POP
000001cc: POP
000001cd: POP
000001ce: POP
000001cf: POP
000001d0: DUP2
000001d1: JUMP
000001d2: JUMPDEST
000001d3: PUSH1 0x40
000001d5: MLOAD
000001d6: PUSH1 0x01
000001d8: PUSH1 0x01
000001da: PUSH1 0x60
000001dc: SHL
000001dd: SUB
000001de: NOT
000001df: CALLER
000001e0: PUSH1 0x60
000001e2: SHL
000001e3: AND
000001e4: PUSH1 0x20
000001e6: DUP3
000001e7: ADD
000001e8: MSTORE
000001e9: PUSH1 0x02
000001eb: SWAP1
000001ec: PUSH1 0x00
000001ee: SWAP1
000001ef: PUSH1 0x34
000001f1: ADD
000001f2: PUSH1 0x40
000001f4: DUP1
000001f5: MLOAD
000001f6: PUSH1 0x1f
000001f8: NOT
000001f9: DUP2
000001fa: DUP5
000001fb: SUB
000001fc: ADD
000001fd: DUP2
000001fe: MSTORE
000001ff: SWAP2
00000200: DUP2
00000201: MSTORE
00000202: DUP2
00000203: MLOAD
00000204: PUSH1 0x20
00000206: SWAP3
00000207: DUP4
00000208: ADD
00000209: KECCAK256
0000020a: DUP4
0000020b: MSTORE
0000020c: SWAP1
0000020d: DUP3
0000020e: ADD
0000020f: SWAP3
00000210: SWAP1
00000211: SWAP3
00000212: MSTORE
00000213: ADD
00000214: PUSH1 0x00
00000216: KECCAK256
00000217: SLOAD
00000218: PUSH1 0xff
0000021a: AND
0000021b: PUSH2 0x0223
0000021e: JUMPI
0000021f: PUSH1 0x00
00000221: DUP1
00000222: REVERT
00000223: JUMPDEST
00000224: PUSH1 0x40
00000226: MLOAD
00000227: CALLER
00000228: SWAP1
00000229: SELFBALANCE
0000022a: DUP1
0000022b: ISZERO
0000022c: PUSH2 0x08fc
0000022f: MUL
00000230: SWAP2
00000231: PUSH1 0x00
00000233: DUP2
00000234: DUP2
00000235: DUP2
00000236: DUP6
00000237: DUP9
00000238: DUP9
00000239: CALL
0000023a: SWAP4
0000023b: POP
0000023c: POP
0000023d: POP
0000023e: POP
0000023f: ISZERO
00000240: DUP1
00000241: ISZERO
00000242: PUSH2 0x024f
00000245: JUMPI
00000246: RETURNDATASIZE
00000247: PUSH1 0x00
00000249: DUP1
0000024a: RETURNDATACOPY
0000024b: RETURNDATASIZE
0000024c: PUSH1 0x00
0000024e: REVERT
0000024f: JUMPDEST
00000250: POP
00000251: PUSH1 0x00
00000253: PUSH1 0x01
00000255: SSTORE
00000256: JUMP
00000257: JUMPDEST
00000258: PUSH1 0x40
0000025a: MLOAD
0000025b: PUSH1 0x01
0000025d: PUSH1 0x01
0000025f: PUSH1 0x60
00000261: SHL
00000262: SUB
00000263: NOT
00000264: CALLER
00000265: PUSH1 0x60
00000267: SHL
00000268: AND
00000269: PUSH1 0x20
0000026b: DUP3
0000026c: ADD
0000026d: MSTORE
0000026e: PUSH1 0x02
00000270: SWAP1
00000271: PUSH1 0x00
00000273: SWAP1
00000274: PUSH1 0x34
00000276: ADD
00000277: PUSH1 0x40
00000279: DUP1
0000027a: MLOAD
0000027b: PUSH1 0x1f
0000027d: NOT
0000027e: DUP2
0000027f: DUP5
00000280: SUB
00000281: ADD
00000282: DUP2
00000283: MSTORE
00000284: SWAP2
00000285: DUP2
00000286: MSTORE
00000287: DUP2
00000288: MLOAD
00000289: PUSH1 0x20
0000028b: SWAP3
0000028c: DUP4
0000028d: ADD
0000028e: KECCAK256
0000028f: DUP4
00000290: MSTORE
00000291: SWAP1
00000292: DUP3
00000293: ADD
00000294: SWAP3
00000295: SWAP1
00000296: SWAP3
00000297: MSTORE
00000298: ADD
00000299: PUSH1 0x00
0000029b: KECCAK256
0000029c: SLOAD
0000029d: PUSH1 0xff
0000029f: AND
000002a0: PUSH2 0x02a8
000002a3: JUMPI
000002a4: PUSH1 0x00
000002a6: DUP1
000002a7: REVERT
000002a8: JUMPDEST
000002a9: PUSH1 0x01
000002ab: SLOAD
000002ac: PUSH1 0x00
000002ae: SUB
000002af: PUSH2 0x02ef
000002b2: JUMPI
000002b3: DUP2
000002b4: DUP2
000002b5: PUSH1 0x40
000002b7: MLOAD
000002b8: PUSH1 0x20
000002ba: ADD
000002bb: PUSH2 0x02c5
000002be: SWAP3
000002bf: SWAP2
000002c0: SWAP1
000002c1: PUSH2 0x05ab
000002c4: JUMP
000002c5: JUMPDEST
000002c6: PUSH1 0x40
000002c8: DUP1
000002c9: MLOAD
000002ca: PUSH1 0x1f
000002cc: NOT
000002cd: DUP2
000002ce: DUP5
000002cf: SUB
000002d0: ADD
000002d1: DUP2
000002d2: MSTORE
000002d3: SWAP2
000002d4: SWAP1
000002d5: MSTORE
000002d6: DUP1
000002d7: MLOAD
000002d8: PUSH1 0x20
000002da: SWAP1
000002db: SWAP2
000002dc: ADD
000002dd: KECCAK256
000002de: PUSH1 0x01
000002e0: SSTORE
000002e1: PUSH1 0x00
000002e3: PUSH2 0x02ed
000002e6: DUP5
000002e7: DUP7
000002e8: DUP4
000002e9: PUSH2 0x0629
000002ec: JUMP
000002ed: JUMPDEST
000002ee: POP
000002ef: JUMPDEST
000002f0: POP
000002f1: POP
000002f2: POP
000002f3: POP
000002f4: JUMP
000002f5: JUMPDEST
000002f6: PUSH1 0x40
000002f8: MLOAD
000002f9: PUSH1 0x01
000002fb: PUSH1 0x01
000002fd: PUSH1 0x60
000002ff: SHL
00000300: SUB
00000301: NOT
00000302: CALLER
00000303: PUSH1 0x60
00000305: SHL
00000306: AND
00000307: PUSH1 0x20
00000309: DUP3
0000030a: ADD
0000030b: MSTORE
0000030c: PUSH1 0x02
0000030e: SWAP1
0000030f: PUSH1 0x00
00000311: SWAP1
00000312: PUSH1 0x34
00000314: ADD
00000315: PUSH1 0x40
00000317: DUP1
00000318: MLOAD
00000319: PUSH1 0x1f
0000031b: NOT
0000031c: DUP2
0000031d: DUP5
0000031e: SUB
0000031f: ADD
00000320: DUP2
00000321: MSTORE
00000322: SWAP2
00000323: DUP2
00000324: MSTORE
00000325: DUP2
00000326: MLOAD
00000327: PUSH1 0x20
00000329: SWAP3
0000032a: DUP4
0000032b: ADD
0000032c: KECCAK256
0000032d: DUP4
0000032e: MSTORE
0000032f: SWAP1
00000330: DUP3
00000331: ADD
00000332: SWAP3
00000333: SWAP1
00000334: SWAP3
00000335: MSTORE
00000336: ADD
00000337: PUSH1 0x00
00000339: KECCAK256
0000033a: SLOAD
0000033b: PUSH1 0xff
0000033d: AND
0000033e: PUSH2 0x0346
00000341: JUMPI
00000342: PUSH1 0x00
00000344: DUP1
00000345: REVERT
00000346: JUMPDEST
00000347: PUSH1 0x00
00000349: PUSH2 0x0353
0000034c: DUP4
0000034d: DUP6
0000034e: DUP4
0000034f: PUSH2 0x0629
00000352: JUMP
00000353: JUMPDEST
00000354: POP
00000355: PUSH1 0x01
00000357: SSTORE
00000358: POP
00000359: POP
0000035a: JUMP
0000035b: JUMPDEST
0000035c: PUSH4 0x4e487b71
00000361: PUSH1 0xe0
00000363: SHL
00000364: PUSH1 0x00
00000366: MSTORE
00000367: PUSH1 0x41
00000369: PUSH1 0x04
0000036b: MSTORE
0000036c: PUSH1 0x24
0000036e: PUSH1 0x00
00000370: REVERT
00000371: JUMPDEST
00000372: PUSH1 0x00
00000374: PUSH1 0x20
00000376: DUP3
00000377: DUP5
00000378: SUB
00000379: SLT
0000037a: ISZERO
0000037b: PUSH2 0x0383
0000037e: JUMPI
0000037f: PUSH1 0x00
00000381: DUP1
00000382: REVERT
00000383: JUMPDEST
00000384: DUP2
00000385: CALLDATALOAD
00000386: PUSH8 0xffffffffffffffff
0000038f: DUP1
00000390: DUP3
00000391: GT
00000392: ISZERO
00000393: PUSH2 0x039b
00000396: JUMPI
00000397: PUSH1 0x00
00000399: DUP1
0000039a: REVERT
0000039b: JUMPDEST
0000039c: DUP2
0000039d: DUP5
0000039e: ADD
0000039f: SWAP2
000003a0: POP
000003a1: DUP5
000003a2: PUSH1 0x1f
000003a4: DUP4
000003a5: ADD
000003a6: SLT
000003a7: PUSH2 0x03af
000003aa: JUMPI
000003ab: PUSH1 0x00
000003ad: DUP1
000003ae: REVERT
000003af: JUMPDEST
000003b0: DUP2
000003b1: CALLDATALOAD
000003b2: DUP2
000003b3: DUP2
000003b4: GT
000003b5: ISZERO
000003b6: PUSH2 0x03c1
000003b9: JUMPI
000003ba: PUSH2 0x03c1
000003bd: PUSH2 0x035b
000003c0: JUMP
000003c1: JUMPDEST
000003c2: PUSH1 0x40
000003c4: MLOAD
000003c5: PUSH1 0x1f
000003c7: DUP3
000003c8: ADD
000003c9: PUSH1 0x1f
000003cb: NOT
000003cc: SWAP1
000003cd: DUP2
000003ce: AND
000003cf: PUSH1 0x3f
000003d1: ADD
000003d2: AND
000003d3: DUP2
000003d4: ADD
000003d5: SWAP1
000003d6: DUP4
000003d7: DUP3
000003d8: GT
000003d9: DUP2
000003da: DUP4
000003db: LT
000003dc: OR
000003dd: ISZERO
000003de: PUSH2 0x03e9
000003e1: JUMPI
000003e2: PUSH2 0x03e9
000003e5: PUSH2 0x035b
000003e8: JUMP
000003e9: JUMPDEST
000003ea: DUP2
000003eb: PUSH1 0x40
000003ed: MSTORE
000003ee: DUP3
000003ef: DUP2
000003f0: MSTORE
000003f1: DUP8
000003f2: PUSH1 0x20
000003f4: DUP5
000003f5: DUP8
000003f6: ADD
000003f7: ADD
000003f8: GT
000003f9: ISZERO
000003fa: PUSH2 0x0402
000003fd: JUMPI
000003fe: PUSH1 0x00
00000400: DUP1
00000401: REVERT
00000402: JUMPDEST
00000403: DUP3
00000404: PUSH1 0x20
00000406: DUP7
00000407: ADD
00000408: PUSH1 0x20
0000040a: DUP4
0000040b: ADD
0000040c: CALLDATACOPY
0000040d: PUSH1 0x00
0000040f: SWAP3
00000410: DUP2
00000411: ADD
00000412: PUSH1 0x20
00000414: ADD
00000415: SWAP3
00000416: SWAP1
00000417: SWAP3
00000418: MSTORE
00000419: POP
0000041a: SWAP6
0000041b: SWAP5
0000041c: POP
0000041d: POP
0000041e: POP
0000041f: POP
00000420: POP
00000421: JUMP
00000422: JUMPDEST
00000423: PUSH1 0x00
00000425: PUSH1 0x20
00000427: DUP1
00000428: DUP4
00000429: MSTORE
0000042a: DUP4
0000042b: MLOAD
0000042c: DUP1
0000042d: DUP3
0000042e: DUP6
0000042f: ADD
00000430: MSTORE
00000431: PUSH1 0x00
00000433: JUMPDEST
00000434: DUP2
00000435: DUP2
00000436: LT
00000437: ISZERO
00000438: PUSH2 0x044f
0000043b: JUMPI
0000043c: DUP6
0000043d: DUP2
0000043e: ADD
0000043f: DUP4
00000440: ADD
00000441: MLOAD
00000442: DUP6
00000443: DUP3
00000444: ADD
00000445: PUSH1 0x40
00000447: ADD
00000448: MSTORE
00000449: DUP3
0000044a: ADD
0000044b: PUSH2 0x0433
0000044e: JUMP
0000044f: JUMPDEST
00000450: POP
00000451: PUSH1 0x00
00000453: PUSH1 0x40
00000455: DUP3
00000456: DUP7
00000457: ADD
00000458: ADD
00000459: MSTORE
0000045a: PUSH1 0x40
0000045c: PUSH1 0x1f
0000045e: NOT
0000045f: PUSH1 0x1f
00000461: DUP4
00000462: ADD
00000463: AND
00000464: DUP6
00000465: ADD
00000466: ADD
00000467: SWAP3
00000468: POP
00000469: POP
0000046a: POP
0000046b: SWAP3
0000046c: SWAP2
0000046d: POP
0000046e: POP
0000046f: JUMP
00000470: JUMPDEST
00000471: PUSH1 0x00
00000473: DUP1
00000474: DUP4
00000475: PUSH1 0x1f
00000477: DUP5
00000478: ADD
00000479: SLT
0000047a: PUSH2 0x0482
0000047d: JUMPI
0000047e: PUSH1 0x00
00000480: DUP1
00000481: REVERT
00000482: JUMPDEST
00000483: POP
00000484: DUP2
00000485: CALLDATALOAD
00000486: PUSH8 0xffffffffffffffff
0000048f: DUP2
00000490: GT
00000491: ISZERO
00000492: PUSH2 0x049a
00000495: JUMPI
00000496: PUSH1 0x00
00000498: DUP1
00000499: REVERT
0000049a: JUMPDEST
0000049b: PUSH1 0x20
0000049d: DUP4
0000049e: ADD
0000049f: SWAP2
000004a0: POP
000004a1: DUP4
000004a2: PUSH1 0x20
000004a4: DUP3
000004a5: DUP6
000004a6: ADD
000004a7: ADD
000004a8: GT
000004a9: ISZERO
000004aa: PUSH2 0x04b2
000004ad: JUMPI
000004ae: PUSH1 0x00
000004b0: DUP1
000004b1: REVERT
000004b2: JUMPDEST
000004b3: SWAP3
000004b4: POP
000004b5: SWAP3
000004b6: SWAP1
000004b7: POP
000004b8: JUMP
000004b9: JUMPDEST
000004ba: PUSH1 0x00
000004bc: DUP1
000004bd: PUSH1 0x00
000004bf: DUP1
000004c0: PUSH1 0x40
000004c2: DUP6
000004c3: DUP8
000004c4: SUB
000004c5: SLT
000004c6: ISZERO
000004c7: PUSH2 0x04cf
000004ca: JUMPI
000004cb: PUSH1 0x00
000004cd: DUP1
000004ce: REVERT
000004cf: JUMPDEST
000004d0: DUP5
000004d1: CALLDATALOAD
000004d2: PUSH8 0xffffffffffffffff
000004db: DUP1
000004dc: DUP3
000004dd: GT
000004de: ISZERO
000004df: PUSH2 0x04e7
000004e2: JUMPI
000004e3: PUSH1 0x00
000004e5: DUP1
000004e6: REVERT
000004e7: JUMPDEST
000004e8: PUSH2 0x04f3
000004eb: DUP9
000004ec: DUP4
000004ed: DUP10
000004ee: ADD
000004ef: PUSH2 0x0470
000004f2: JUMP
000004f3: JUMPDEST
000004f4: SWAP1
000004f5: SWAP7
000004f6: POP
000004f7: SWAP5
000004f8: POP
000004f9: PUSH1 0x20
000004fb: DUP8
000004fc: ADD
000004fd: CALLDATALOAD
000004fe: SWAP2
000004ff: POP
00000500: DUP1
00000501: DUP3
00000502: GT
00000503: ISZERO
00000504: PUSH2 0x050c
00000507: JUMPI
00000508: PUSH1 0x00
0000050a: DUP1
0000050b: REVERT
0000050c: JUMPDEST
0000050d: POP
0000050e: PUSH2 0x0519
00000511: DUP8
00000512: DUP3
00000513: DUP9
00000514: ADD
00000515: PUSH2 0x0470
00000518: JUMP
00000519: JUMPDEST
0000051a: SWAP6
0000051b: SWAP9
0000051c: SWAP5
0000051d: SWAP8
0000051e: POP
0000051f: SWAP6
00000520: POP
00000521: POP
00000522: POP
00000523: POP
00000524: JUMP
00000525: JUMPDEST
00000526: PUSH1 0x00
00000528: DUP1
00000529: PUSH1 0x00
0000052b: PUSH1 0x40
0000052d: DUP5
0000052e: DUP7
0000052f: SUB
00000530: SLT
00000531: ISZERO
00000532: PUSH2 0x053a
00000535: JUMPI
00000536: PUSH1 0x00
00000538: DUP1
00000539: REVERT
0000053a: JUMPDEST
0000053b: DUP4
0000053c: CALLDATALOAD
0000053d: PUSH8 0xffffffffffffffff
00000546: DUP2
00000547: GT
00000548: ISZERO
00000549: PUSH2 0x0551
0000054c: JUMPI
0000054d: PUSH1 0x00
0000054f: DUP1
00000550: REVERT
00000551: JUMPDEST
00000552: PUSH2 0x055d
00000555: DUP7
00000556: DUP3
00000557: DUP8
00000558: ADD
00000559: PUSH2 0x0470
0000055c: JUMP
0000055d: JUMPDEST
0000055e: SWAP1
0000055f: SWAP8
00000560: SWAP1
00000561: SWAP7
00000562: POP
00000563: PUSH1 0x20
00000565: SWAP6
00000566: SWAP1
00000567: SWAP6
00000568: ADD
00000569: CALLDATALOAD
0000056a: SWAP5
0000056b: SWAP4
0000056c: POP
0000056d: POP
0000056e: POP
0000056f: POP
00000570: JUMP
00000571: JUMPDEST
00000572: PUSH1 0x01
00000574: DUP2
00000575: DUP2
00000576: SHR
00000577: SWAP1
00000578: DUP3
00000579: AND
0000057a: DUP1
0000057b: PUSH2 0x0585
0000057e: JUMPI
0000057f: PUSH1 0x7f
00000581: DUP3
00000582: AND
00000583: SWAP2
00000584: POP
00000585: JUMPDEST
00000586: PUSH1 0x20
00000588: DUP3
00000589: LT
0000058a: DUP2
0000058b: SUB
0000058c: PUSH2 0x05a5
0000058f: JUMPI
00000590: PUSH4 0x4e487b71
00000595: PUSH1 0xe0
00000597: SHL
00000598: PUSH1 0x00
0000059a: MSTORE
0000059b: PUSH1 0x22
0000059d: PUSH1 0x04
0000059f: MSTORE
000005a0: PUSH1 0x24
000005a2: PUSH1 0x00
000005a4: REVERT
000005a5: JUMPDEST
000005a6: POP
000005a7: SWAP2
000005a8: SWAP1
000005a9: POP
000005aa: JUMP
000005ab: JUMPDEST
000005ac: PUSH1 0x20
000005ae: DUP2
000005af: MSTORE
000005b0: DUP2
000005b1: PUSH1 0x20
000005b3: DUP3
000005b4: ADD
000005b5: MSTORE
000005b6: DUP2
000005b7: DUP4
000005b8: PUSH1 0x40
000005ba: DUP4
000005bb: ADD
000005bc: CALLDATACOPY
000005bd: PUSH1 0x00
000005bf: DUP2
000005c0: DUP4
000005c1: ADD
000005c2: PUSH1 0x40
000005c4: SWAP1
000005c5: DUP2
000005c6: ADD
000005c7: SWAP2
000005c8: SWAP1
000005c9: SWAP2
000005ca: MSTORE
000005cb: PUSH1 0x1f
000005cd: SWAP1
000005ce: SWAP3
000005cf: ADD
000005d0: PUSH1 0x1f
000005d2: NOT
000005d3: AND
000005d4: ADD
000005d5: ADD
000005d6: SWAP2
000005d7: SWAP1
000005d8: POP
000005d9: JUMP
000005da: JUMPDEST
000005db: PUSH1 0x1f
000005dd: DUP3
000005de: GT
000005df: ISZERO
000005e0: PUSH2 0x0624
000005e3: JUMPI
000005e4: PUSH1 0x00
000005e6: DUP2
000005e7: DUP2
000005e8: MSTORE
000005e9: PUSH1 0x20
000005eb: DUP2
000005ec: KECCAK256
000005ed: PUSH1 0x1f
000005ef: DUP6
000005f0: ADD
000005f1: PUSH1 0x05
000005f3: SHR
000005f4: DUP2
000005f5: ADD
000005f6: PUSH1 0x20
000005f8: DUP7
000005f9: LT
000005fa: ISZERO
000005fb: PUSH2 0x0601
000005fe: JUMPI
000005ff: POP
00000600: DUP1
00000601: JUMPDEST
00000602: PUSH1 0x1f
00000604: DUP6
00000605: ADD
00000606: PUSH1 0x05
00000608: SHR
00000609: DUP3
0000060a: ADD
0000060b: SWAP2
0000060c: POP
0000060d: JUMPDEST
0000060e: DUP2
0000060f: DUP2
00000610: LT
00000611: ISZERO
00000612: PUSH2 0x0620
00000615: JUMPI
00000616: DUP3
00000617: DUP2
00000618: SSTORE
00000619: PUSH1 0x01
0000061b: ADD
0000061c: PUSH2 0x060d
0000061f: JUMP
00000620: JUMPDEST
00000621: POP
00000622: POP
00000623: POP
00000624: JUMPDEST
00000625: POP
00000626: POP
00000627: POP
00000628: JUMP
00000629: JUMPDEST
0000062a: PUSH8 0xffffffffffffffff
00000633: DUP4
00000634: GT
00000635: ISZERO
00000636: PUSH2 0x0641
00000639: JUMPI
0000063a: PUSH2 0x0641
0000063d: PUSH2 0x035b
00000640: JUMP
00000641: JUMPDEST
00000642: PUSH2 0x0655
00000645: DUP4
00000646: PUSH2 0x064f
00000649: DUP4
0000064a: SLOAD
0000064b: PUSH2 0x0571
0000064e: JUMP
0000064f: JUMPDEST
00000650: DUP4
00000651: PUSH2 0x05da
00000654: JUMP
00000655: JUMPDEST
00000656: PUSH1 0x00
00000658: PUSH1 0x1f
0000065a: DUP5
0000065b: GT
0000065c: PUSH1 0x01
0000065e: DUP2
0000065f: EQ
00000660: PUSH2 0x0689
00000663: JUMPI
00000664: PUSH1 0x00
00000666: DUP6
00000667: ISZERO
00000668: PUSH2 0x0671
0000066b: JUMPI
0000066c: POP
0000066d: DUP4
0000066e: DUP3
0000066f: ADD
00000670: CALLDATALOAD
00000671: JUMPDEST
00000672: PUSH1 0x00
00000674: NOT
00000675: PUSH1 0x03
00000677: DUP8
00000678: SWAP1
00000679: SHL
0000067a: SHR
0000067b: NOT
0000067c: AND
0000067d: PUSH1 0x01
0000067f: DUP7
00000680: SWAP1
00000681: SHL
00000682: OR
00000683: DUP4
00000684: SSTORE
00000685: PUSH2 0x02ed
00000688: JUMP
00000689: JUMPDEST
0000068a: PUSH1 0x00
0000068c: DUP4
0000068d: DUP2
0000068e: MSTORE
0000068f: PUSH1 0x20
00000691: SWAP1
00000692: KECCAK256
00000693: PUSH1 0x1f
00000695: NOT
00000696: DUP7
00000697: AND
00000698: SWAP1
00000699: DUP4
0000069a: JUMPDEST
0000069b: DUP3
0000069c: DUP2
0000069d: LT
0000069e: ISZERO
0000069f: PUSH2 0x06ba
000006a2: JUMPI
000006a3: DUP7
000006a4: DUP6
000006a5: ADD
000006a6: CALLDATALOAD
000006a7: DUP3
000006a8: SSTORE
000006a9: PUSH1 0x20
000006ab: SWAP5
000006ac: DUP6
000006ad: ADD
000006ae: SWAP5
000006af: PUSH1 0x01
000006b1: SWAP1
000006b2: SWAP3
000006b3: ADD
000006b4: SWAP2
000006b5: ADD
000006b6: PUSH2 0x069a
000006b9: JUMP
000006ba: JUMPDEST
000006bb: POP
000006bc: DUP7
000006bd: DUP3
000006be: LT
000006bf: ISZERO
000006c0: PUSH2 0x06d7
000006c3: JUMPI
000006c4: PUSH1 0x00
000006c6: NOT
000006c7: PUSH1 0xf8
000006c9: DUP9
000006ca: PUSH1 0x03
000006cc: SHL
000006cd: AND
000006ce: SHR
000006cf: NOT
000006d0: DUP5
000006d1: DUP8
000006d2: ADD
000006d3: CALLDATALOAD
000006d4: AND
000006d5: DUP2
000006d6: SSTORE
000006d7: JUMPDEST
000006d8: POP
000006d9: POP
000006da: PUSH1 0x01
000006dc: DUP6
000006dd: PUSH1 0x01
000006df: SHL
000006e0: ADD
000006e1: DUP4
000006e2: SSTORE
000006e3: POP
000006e4: POP
000006e5: POP
000006e6: POP
000006e7: POP
000006e8: JUMP
000006e9: INVALID
000006ea: LOG2
000006eb: PUSH5 0x6970667358
000006f1: UNKNOWN(0x22)
000006f2: SLT
000006f3: KECCAK256
000006f4: SWAP13
000006f5: DUP5
000006f6: UNKNOWN(0xA7)
000006f7: UNKNOWN(0xF9)
000006f8: ORIGIN
000006f9: UNKNOWN(0xF6)
000006fa: TSTORE
000006fb: LT
000006fc: PUSH23 0x22edaf5026bc25c6638c4250a3e0c66c899f2e07b7c363
00000714: PUSH5 0x736f6c6343
0000071a: STOP
0000071b: ADDMOD
0000071c: SGT
0000071d: STOP
0000071e: CALLER

Findings

validated = confirmed for call sinks; sink observed for others
Severity Category Tool Title Confidence Validated Confirmed Details
high other codex Plaintext answer exposure lets any EOA drain the full balance 85 no
view
evidence_json 
{
    "evidence": "Start stores keccak256(abi.encode(_response)) of a plaintext _response supplied in calldata, and Try pays out the entire balance when a caller submits that response with >1 ether.",
    "locations": [
        "contracts/Contract.sol:19",
        "contracts/Contract.sol:7"
    ],
    "recommendation": "Never publish the plaintext answer on-chain. Use a commit-reveal scheme or only set the precomputed hash via New, and remove/disable Start or require the answer to be provided off-chain.",
    "exploit_scenario": "1) Monitor mempool or chain for an admin calling Start and read the _response string directly from calldata. 2) Compute keccak256(abi.encode(_response)) locally. 3) Call Try from an EOA with the same _response and send >1 ether. 4) The contract transfers its entire balance to the attacker."
}
high auth detector Authorization based on tx.origin 70 no
view
validation_json 
{
    "reason": "missing sink mapping",
    "status": "no_sink"
}
witness_json 
{
    "notes": "heuristic witness; entrypoints are best-effort selectors with zeroed calldata",
    "constraints": [],
    "entrypoints": [
        {
            "calldata": "0x3853682c",
            "selector": "0x3853682c",
            "calldata_variants": [
                "0x3853682c",
                "0x3853682c0000000000000000000000000000000000000000000000000000000000000000"
            ]
        },
        {
            "calldata": "0x3fad9ae0",
            "selector": "0x3fad9ae0",
            "calldata_variants": [
                "0x3fad9ae0",
                "0x3fad9ae00000000000000000000000000000000000000000000000000000000000000000"
            ]
        },
        {
            "calldata": "0xbedf0f4a",
            "selector": "0xbedf0f4a",
            "calldata_variants": [
                "0xbedf0f4a",
                "0xbedf0f4a0000000000000000000000000000000000000000000000000000000000000000"
            ]
        },
        {
            "calldata": "0xc76de3e9",
            "selector": "0xc76de3e9",
            "calldata_variants": [
                "0xc76de3e9",
                "0xc76de3e90000000000000000000000000000000000000000000000000000000000000000"
            ]
        },
        {
            "calldata": "0xed8df164",
            "selector": "0xed8df164",
            "calldata_variants": [
                "0xed8df164",
                "0xed8df1640000000000000000000000000000000000000000000000000000000000000000"
            ]
        }
    ]
}
evidence_json 
{
    "guards_detected": [
        {
            "pc": 199,
            "type": "tx_origin_used"
        },
        {
            "pc": 198,
            "type": "tx_origin_used"
        },
        {
            "pc": 1784,
            "type": "tx_origin_used"
        }
    ]
}
medium other detector Untrusted CALL target/value reachable 45 no no
view
trace_id: 0x9f1f786bbfa99093992c58a9484f9422e40a1576c4bd2770b0ce484ca10d2a5c
call_targets: 0x821ab5215e7970480d1d9c145632e5c15d3b8bbb
target_varies: no
classification: constant_target
validation_json 
{
    "sink": "CALL",
    "errors": 0,
    "status": "sink_reached",
    "attempts": 1,
    "trace_id": "0x9f1f786bbfa99093992c58a9484f9422e40a1576c4bd2770b0ce484ca10d2a5c",
    "confirmed": false,
    "trace_mode": "callTracer",
    "call_targets": [
        "0x821ab5215e7970480d1d9c145632e5c15d3b8bbb"
    ],
    "matched_probe": null,
    "target_varies": false,
    "classification": "constant_target"
}
witness_json 
{
    "notes": "heuristic witness; entrypoints are best-effort selectors with zeroed calldata",
    "constraints": [],
    "entrypoints": [
        {
            "calldata": "0x3853682c",
            "selector": "0x3853682c",
            "calldata_variants": [
                "0x3853682c",
                "0x3853682c0000000000000000000000000000000000000000000000000000000000000000"
            ]
        },
        {
            "calldata": "0x3fad9ae0",
            "selector": "0x3fad9ae0",
            "calldata_variants": [
                "0x3fad9ae0",
                "0x3fad9ae00000000000000000000000000000000000000000000000000000000000000000"
            ]
        },
        {
            "calldata": "0xbedf0f4a",
            "selector": "0xbedf0f4a",
            "calldata_variants": [
                "0xbedf0f4a",
                "0xbedf0f4a0000000000000000000000000000000000000000000000000000000000000000"
            ]
        },
        {
            "calldata": "0xc76de3e9",
            "selector": "0xc76de3e9",
            "calldata_variants": [
                "0xc76de3e9",
                "0xc76de3e90000000000000000000000000000000000000000000000000000000000000000"
            ]
        },
        {
            "calldata": "0xed8df164",
            "selector": "0xed8df164",
            "calldata_variants": [
                "0xed8df164",
                "0xed8df1640000000000000000000000000000000000000000000000000000000000000000"
            ]
        }
    ]
}
evidence_json 
{
    "examples": [
        {
            "pc": 297,
            "opcode": "CALL",
            "returndata_checked": null,
            "value_expression_category": "computed",
            "target_expression_category": "computed"
        },
        {
            "pc": 569,
            "opcode": "CALL",
            "returndata_checked": null,
            "value_expression_category": "computed",
            "target_expression_category": "computed"
        }
    ],
    "call_count": 2,
    "guards_detected": [
        {
            "pc": 199,
            "type": "tx_origin_used"
        },
        {
            "pc": 198,
            "type": "tx_origin_used"
        },
        {
            "pc": 1784,
            "type": "tx_origin_used"
        }
    ],
    "untrusted_call_count": 2
}
medium other detector ETH value transfer possible 40 no no
view
trace_id: 0x9f1f786bbfa99093992c58a9484f9422e40a1576c4bd2770b0ce484ca10d2a5c
call_targets: 0x821ab5215e7970480d1d9c145632e5c15d3b8bbb
target_varies: no
classification: constant_target
validation_json 
{
    "sink": "CALL",
    "errors": 0,
    "status": "sink_reached",
    "attempts": 1,
    "trace_id": "0x9f1f786bbfa99093992c58a9484f9422e40a1576c4bd2770b0ce484ca10d2a5c",
    "confirmed": false,
    "trace_mode": "callTracer",
    "call_targets": [
        "0x821ab5215e7970480d1d9c145632e5c15d3b8bbb"
    ],
    "matched_probe": null,
    "target_varies": false,
    "classification": "constant_target"
}
witness_json 
{
    "notes": "heuristic witness; entrypoints are best-effort selectors with zeroed calldata",
    "constraints": [],
    "entrypoints": [
        {
            "calldata": "0x3853682c",
            "selector": "0x3853682c",
            "calldata_variants": [
                "0x3853682c",
                "0x3853682c0000000000000000000000000000000000000000000000000000000000000000"
            ]
        },
        {
            "calldata": "0x3fad9ae0",
            "selector": "0x3fad9ae0",
            "calldata_variants": [
                "0x3fad9ae0",
                "0x3fad9ae00000000000000000000000000000000000000000000000000000000000000000"
            ]
        },
        {
            "calldata": "0xbedf0f4a",
            "selector": "0xbedf0f4a",
            "calldata_variants": [
                "0xbedf0f4a",
                "0xbedf0f4a0000000000000000000000000000000000000000000000000000000000000000"
            ]
        },
        {
            "calldata": "0xc76de3e9",
            "selector": "0xc76de3e9",
            "calldata_variants": [
                "0xc76de3e9",
                "0xc76de3e90000000000000000000000000000000000000000000000000000000000000000"
            ]
        },
        {
            "calldata": "0xed8df164",
            "selector": "0xed8df164",
            "calldata_variants": [
                "0xed8df164",
                "0xed8df1640000000000000000000000000000000000000000000000000000000000000000"
            ]
        }
    ]
}
evidence_json 
{
    "examples": [
        {
            "pc": 297,
            "opcode": "CALL",
            "returndata_checked": null,
            "value_expression_category": "computed",
            "target_expression_category": "computed"
        },
        {
            "pc": 569,
            "opcode": "CALL",
            "returndata_checked": null,
            "value_expression_category": "computed",
            "target_expression_category": "computed"
        }
    ],
    "eth_value_calls": 2,
    "guards_detected": [
        {
            "pc": 199,
            "type": "tx_origin_used"
        },
        {
            "pc": 198,
            "type": "tx_origin_used"
        },
        {
            "pc": 1784,
            "type": "tx_origin_used"
        }
    ]
}