e55a7ac9-46dc-47cb-8fd2-309875709a55
Open this run to answer one question: is this real attacker-relevant behavior with real impact, or just normal contract plumbing?
| ID | Type | Status | Attempts | Heartbeat |
|---|---|---|---|---|
| 31035 | report.consolidate | complete | 1 / 1 | 3 months ago |
| 76024 | artifact.fetch | complete | 1 / 3 | 1 week ago |
| 76025 | tool.cast_disasm | complete | 1 / 3 | 1 week ago |
| 76026 | analysis.bundle | complete | 1 / 3 | 1 week ago |
| 76027 | capability.graph | complete | 1 / 3 | 1 week ago |
| 76028 | detector.run | complete | 1 / 3 | 1 week ago |
| 76029 | validation.fork | complete | 1 / 3 | 1 week ago |
No slither job recorded yet.
[codex:390577] OpenAI Codex v0.77.0 (research preview)
[codex:390577] --------
[codex:390577] workdir: /tmp/codex-multi-9j3h3wxd
[codex:390577] model: gpt-5.2-codex
[codex:390577] provider: openai
[codex:390577] approval: never
[codex:390577] sandbox: read-only
[codex:390577] reasoning effort: xhigh
[codex:390577] reasoning summaries: auto
[codex:390577] session id: 019b79e7-1df0-77b1-a2db-a7cbe7fb4ce9
[codex:390577] --------
[codex:390577] user
[codex:390577] You are a profit-focused exploit hunter analyzing EVM bytecode. Your ONLY goal is finding ways to extract value (ETH, tokens, NFTs) from this contract.
[codex:390577]
[codex:390577] Read `BYTECODE_BUNDLE.txt` completely before concluding.
[codex:390577]
[codex:390577] ONLY REPORT if you find a CONCRETE, EXPLOITABLE path to profit. We do NOT care about:
[codex:390577] - Gas inefficiency, code quality, or best practices
[codex:390577] - Theoretical vulnerabilities without a clear extraction path
[codex:390577] - Generic footguns (unchecked return values, etc.) unless they enable theft
[codex:390577] - Issues requiring social engineering or off-chain coordination
[codex:390577]
[codex:390577] PATTERNS WORTH INVESTIGATING in bytecode:
[codex:390577] - CALL/DELEGATECALL with controllable destination or calldata
[codex:390577] - Value transfers (CALL with non-zero value) without prior CALLER/ORIGIN checks
[codex:390577] - SSTORE to low slots (0-10) that might be owner/admin storage
[codex:390577] - ecrecover (signature validation) - look for missing nonce/replay protection
[codex:390577] - External calls before state updates (reentrancy)
[codex:390577] - SELFDESTRUCT with controllable beneficiary
[codex:390577] - Proxy patterns (DELEGATECALL to storage slot) with unprotected upgrade paths
[codex:390577]
[codex:390577] For each finding, you MUST explain:
[codex:390577] 1. The specific bytecode pattern/offsets that indicate the vulnerability
[codex:390577] 2. The concrete sequence of transactions to extract value
[codex:390577] 3. Why you believe this is exploitable (not just suspicious)
[codex:390577]
[codex:390577] If you cannot identify a concrete profit path from bytecode alone: set no_findings=true.
[codex:390577] Do NOT hallucinate. Bytecode-only analysis is limited - be honest about uncertainty.
[codex:390577]
[codex:390577] Output MUST be valid JSON matching the provided schema.
[codex:390577] - severity: info, low, medium, high, critical (use high/critical ONLY for clear extraction paths)
[codex:390577] - category: access_control, reentrancy, math, oracle, upgradeability, auth, other
[codex:390577] mcp startup: no servers
[codex:390577]
[codex:390577] thinking
[codex:390577] **Preparing to analyze bytecode bundle**
[codex:390577] exec
[codex:390577] /bin/bash -lc ls in /tmp/codex-multi-9j3h3wxd succeeded in 5ms:
[codex:390577] BYTECODE_BUNDLE.txt
[codex:390577] codex-output-schema.json
[codex:390577] exec
[codex:390577] /bin/bash -lc 'cat BYTECODE_BUNDLE.txt' in /tmp/codex-multi-9j3h3wxd succeeded in 5ms:
[codex:390577] Runtime bytecode bundle for best-effort auditing.
[codex:390577] Note: without verified source, conclusions are low-confidence unless a concrete pattern is visible.
[codex:390577]
[codex:390577] FILE: runtime_bytecode.hex
[codex:390577] 0x60806040526004361061008e576000357c0100000000000000000000000000000000000000000000000000000000900463ffffffff168063049e1d4d1461009057806310bfce71146100cd5780633018205f146100f65780634ee7f87d1461012157806362c529e41461015e57806392eefe9b14610187578063ee8bd82d146101b0578063f77c4791146101ed575b005b34801561009c57600080fd5b506100b760048036036100b29190810190610cfb565b610218565b6040516100c49190610e76565b60405180910390f35b3480156100d957600080fd5b506100f460048036036100ef9190810190610c7e565b6102ff565b005b34801561010257600080fd5b5061010b610345565b6040516101189190610e32565b60405180910390f35b34801561012d57600080fd5b5061014860048036036101439190810190610c17565b61036e565b6040516101559190610e91565b60405180910390f35b34801561016a57600080fd5b5061018560048036036101809190810190610cfb565b6104d3565b005b34801561019357600080fd5b506101ae60048036036101a99190810190610bee565b610682565b005b3480156101bc57600080fd5b506101d760048036036101d29190810190610cbf565b6107c5565b6040516101e49190610e32565b60405180910390f35b3480156101f957600080fd5b5061020261082c565b60405161020f9190610e32565b60405180910390f35b6000806060600080610228610851565b60008088600001519650886020015195508860400151945088608001519350886060015192506000809054906101000a900473ffffffffffffffffffffffffffffffffffffffff1673ffffffffffffffffffffffffffffffffffffffff168473ffffffffffffffffffffffffffffffffffffffff161415156102a957600080fd5b6102b487878761036e565b91506102c082846107c5565b90508373ffffffffffffffffffffffffffffffffffffffff168173ffffffffffffffffffffffffffffffffffffffff1614975050505050505050919050565b60008090505b81518160ff16101561034157610334828260ff1681518110151561032557fe5b906020019060200201516104d3565b8080600101915050610305565b5050565b60008060009054906101000a900473ffffffffffffffffffffffffffffffffffffffff16905090565b600080848484604051808473ffffffffffffffffffffffffffffffffffffffff1673ffffffffffffffffffffffffffffffffffffffff166c0100000000000000000000000002815260140183805190602001908083835b6020831015156103ea57805182526020820191506020810190506020830392506103c5565b6001836020036101000a0380198251168184511680821785525050505050509050018281526020019350505050604051809103902090506040805190810160405280601c81526020017f19457468657265756d205369676e6564204d6573736167653a0a333200000000815250816040518083805190602001908083835b60208310151561048d5780518252602082019150602081019050602083039250610468565b6001836020036101000a03801982511681845116808217855250505050505090500182600019166000191681526020019250505060405180910390209150509392505050565b60006060600080846000015193508460200151925084604001519150846080015190507f74d34c6fe876d2d910521ea7c31bdea6530879732d5e8fa3781ce25171fa17608482604051610527929190610e4d565b60405180910390a161053885610218565b1515610579576040517f08c379a000000000000000000000000000000000000000000000000000000000815260040161057090610ef1565b60405180910390fd5b8373ffffffffffffffffffffffffffffffffffffffff16828460405180828051906020019080838360005b838110156105bf5780820151818401526020810190506105a4565b50505050905090810190601f1680156105ec5780820380516001836020036101000a031916815260200191505b5091505060006040518083038185875af1925050501515610642576040517f08c379a000000000000000000000000000000000000000000000000000000000815260040161063990610f11565b60405180910390fd5b7f9ae6eab77ab97680a0708bbb21af686ae24276636c6aa70f8a02f4cccd49499b8482604051610673929190610e4d565b60405180910390a15050505050565b7f4f7b0265dc15e282f56ae0820603286a6547460256b0fe068e6ed578cb3d8bb6816040516106b19190610e32565b60405180910390a16000809054906101000a900473ffffffffffffffffffffffffffffffffffffffff1673ffffffffffffffffffffffffffffffffffffffff163373ffffffffffffffffffffffffffffffffffffffff16141561078a57806000806101000a81548173ffffffffffffffffffffffffffffffffffffffff021916908373ffffffffffffffffffffffffffffffffffffffff1602179055507f5c4387c894a24bbdaab0ebb3e90d2d0f0d1900a6b4878e87c1fc3bfe75c1f0df8160405161077d9190610e32565b60405180910390a16107c2565b7f6e7c18ac33fbdcd4f970e95dbb26c2f291e243f724c43b33c701f00f75826513816040516107b99190610e32565b60405180910390a15b50565b6000600183836000015184602001518560400151604051600081526020016040526040516107f69493929190610eac565b60206040516020810390808403906000865af115801561081a573d6000803e3d6000fd5b50505060206040510351905092915050565b6000809054906101000a900473ffffffffffffffffffffffffffffffffffffffff1681565b606060405190810160405280600060ff16815260200160008019168152602001600080191681525090565b60006108888235611021565b905092915050565b600082601f83011215156108a357600080fd5b81356108b66108b182610f5e565b610f31565b9150818183526020840193506020810190508360005b838110156108fc57813586016108e28882610a86565b8452602084019350602083019250506001810190506108cc565b5050505092915050565b60006109128235611041565b905092915050565b600082601f830112151561092d57600080fd5b813561094061093b82610f86565b610f31565b9150808252602083016020830185838301111561095c57600080fd5b610967838284611062565b50505092915050565b600082601f830112151561098357600080fd5b813561099661099182610fb2565b610f31565b915080825260208301602083018583830111156109b257600080fd5b6109bd838284611062565b50505092915050565b6000606082840312156109d857600080fd5b6109e26060610f31565b905060006109f284828501610bda565b6000830152506020610a0684828501610906565b6020830152506040610a1a84828501610906565b60408301525092915050565b600060608284031215610a3857600080fd5b610a426060610f31565b90506000610a5284828501610bda565b6000830152506020610a6684828501610906565b6020830152506040610a7a84828501610906565b60408301525092915050565b600060e08284031215610a9857600080fd5b610aa260a0610f31565b90506000610ab28482850161087c565b600083015250602082013567ffffffffffffffff811115610ad257600080fd5b610ade8482850161091a565b6020830152506040610af284828501610bc6565b6040830152506060610b06848285016109c6565b60608301525060c0610b1a8482850161087c565b60808301525092915050565b600060e08284031215610b3857600080fd5b610b4260a0610f31565b90506000610b528482850161087c565b600083015250602082013567ffffffffffffffff811115610b7257600080fd5b610b7e8482850161091a565b6020830152506040610b9284828501610bc6565b6040830152506060610ba6848285016109c6565b60608301525060c0610bba8482850161087c565b60808301525092915050565b6000610bd2823561104b565b905092915050565b6000610be68235611055565b905092915050565b600060208284031215610c0057600080fd5b6000610c0e8482850161087c565b91505092915050565b600080600060608486031215610c2c57600080fd5b6000610c3a8682870161087c565b935050602084013567ffffffffffffffff811115610c5757600080fd5b610c6386828701610970565b9250506040610c7486828701610bc6565b9150509250925092565b600060208284031215610c9057600080fd5b600082013567ffffffffffffffff811115610caa57600080fd5b610cb684828501610890565b91505092915050565b60008060808385031215610cd257600080fd5b6000610ce085828601610906565b9250506020610cf185828601610a26565b9150509250929050565b600060208284031215610d0d57600080fd5b600082013567ffffffffffffffff811115610d2757600080fd5b610d3384828501610b26565b91505092915050565b610d4581610fde565b82525050565b610d5481610ffe565b82525050565b610d638161100a565b82525050565b6000603382527f436f6e74726f6c6c6572206973206e6f7420617574686f72697a656420746f2060208301527f65786563757465207472616e73616374696f6e000000000000000000000000006040830152606082019050919050565b6000602382527f5472616e73616374696f6e206661696c656420647572696e672065786563757460208301527f696f6e00000000000000000000000000000000000000000000000000000000006040830152606082019050919050565b610e2c81611014565b82525050565b6000602082019050610e476000830184610d3c565b92915050565b6000604082019050610e626000830185610d3c565b610e6f6020830184610d3c565b9392505050565b6000602082019050610e8b6000830184610d4b565b92915050565b6000602082019050610ea66000830184610d5a565b92915050565b6000608082019050610ec16000830187610d5a565b610ece6020830186610e23565b610edb6040830185610d5a565b610ee86060830184610d5a565b95945050505050565b60006020820190508181036000830152610f0a81610d69565b9050919050565b60006020820190508181036000830152610f2a81610dc6565b9050919050565b6000604051905081810181811067ffffffffffffffff82111715610f5457600080fd5b8060405250919050565b600067ffffffffffffffff821115610f7557600080fd5b602082029050602081019050919050565b600067ffffffffffffffff821115610f9d57600080fd5b601f19601f8301169050602081019050919050565b600067ffffffffffffffff821115610fc957600080fd5b601f19601f8301169050602081019050919050565b600073ffffffffffffffffffffffffffffffffffffffff82169050919050565b60008115159050919050565b6000819050919050565b600060ff82169050919050565b600073ffffffffffffffffffffffffffffffffffffffff82169050919050565b6000819050919050565b6000819050919050565b600060ff82169050919050565b828183376000838301525050505600a265627a7a723058200882f5e615d2f3690ee950d0850b981d499579b01fcef47c34ed827e06bd84a76c6578706572696d656e74616cf50037
[codex:390577]
[codex:390577]
[codex:390577] thinking
[codex:390577] **Interpreting bytecode functions and potential exploits**
[codex:390577] thinking
[codex:390577] **Examining call to ecrecover precompile and disassembly approach**
[codex:390577]
[codex:390577] I’m parsing how function 0x7c5 builds calldata and calls the ecrecover precompile, noting it uses a CALL opcode to address 0x01 with constructed input. To confirm details and locate possible issues, I plan to write a small local EVM bytecode disassembler in Python to clearly view opcodes and stack usage around critical functions like 0x4d3 and 0x7c5. This will help me uncover subtle control flows or vulnerabilities.
[codex:390577] exec
[codex:390577] /bin/bash -lc "python - <<'PY'
[codex:390577] import re
[codex:390577] from pathlib import Path
[codex:390577] hexdata = Path('BYTECODE_BUNDLE.txt').read_text().split('0x',1)[1].strip().split('\\n',1)[0].strip()
[codex:390577] # remove possible whitespace
[codex:390577] hexdata = re.sub(r'["'^0-9a-fA-F]'"', '', hexdata)
[codex:390577] # opcode mapping
[codex:390577] opcodes = {i: f'PUSH{i-0x5f}' for i in range(0x60,0x80)}
[codex:390577] # add base opcodes
[codex:390577] base = {
[codex:390577] 0x00:'STOP',0x01:'ADD',0x02:'MUL',0x03:'SUB',0x04:'DIV',0x05:'SDIV',0x06:'MOD',0x07:'SMOD',0x08:'ADDMOD',0x09:'MULMOD',0x0a:'EXP',0x0b:'SIGNEXTEND',
[codex:390577] 0x10:'LT',0x11:'GT',0x12:'SLT',0x13:'SGT',0x14:'EQ',0x15:'ISZERO',0x16:'AND',0x17:'OR',0x18:'XOR',0x19:'NOT',0x1a:'BYTE',0x1b:'SHL',0x1c:'SHR',0x1d:'SAR',
[codex:390577] 0x20:'SHA3',
[codex:390577] 0x30:'ADDRESS',0x31:'BALANCE',0x32:'ORIGIN',0x33:'CALLER',0x34:'CALLVALUE',0x35:'CALLDATALOAD',0x36:'CALLDATASIZE',0x37:'CALLDATACOPY',0x38:'CODESIZE',0x39:'CODECOPY',0x3a:'GASPRICE',0x3b:'EXTCODESIZE',0x3c:'EXTCODECOPY',0x3d:'RETURNDATASIZE',0x3e:'RETURNDATACOPY',0x3f:'EXTCODEHASH',
[codex:390577] 0x40:'BLOCKHASH',0x41:'COINBASE',0x42:'TIMESTAMP',0x43:'NUMBER',0x44:'DIFFICULTY',0x45:'GASLIMIT',0x46:'CHAINID',0x47:'SELFBALANCE',0x48:'BASEFEE',
[codex:390577] 0x50:'POP',0x51:'MLOAD',0x52:'MSTORE',0x53:'MSTORE8',0x54:'SLOAD',0x55:'SSTORE',0x56:'JUMP',0x57:'JUMPI',0x58:'PC',0x59:'MSIZE',0x5a:'GAS',0x5b:'JUMPDEST',
[codex:390577] 0x60:'PUSH1',0x61:'PUSH2',0x62:'PUSH3',0x63:'PUSH4',0x64:'PUSH5',0x65:'PUSH6',0x66:'PUSH7',0x67:'PUSH8',0x68:'PUSH9',0x69:'PUSH10',0x6a:'PUSH11',0x6b:'PUSH12',0x6c:'PUSH13',0x6d:'PUSH14',0x6e:'PUSH15',0x6f:'PUSH16',0x70:'PUSH17',0x71:'PUSH18',0x72:'PUSH19',0x73:'PUSH20',0x74:'PUSH21',0x75:'PUSH22',0x76:'PUSH23',0x77:'PUSH24',0x78:'PUSH25',0x79:'PUSH26',0x7a:'PUSH27',0x7b:'PUSH28',0x7c:'PUSH29',0x7d:'PUSH30',0x7e:'PUSH31',0x7f:'PUSH32',
[codex:390577] 0x80:'DUP1',0x81:'DUP2',0x82:'DUP3',0x83:'DUP4',0x84:'DUP5',0x85:'DUP6',0x86:'DUP7',0x87:'DUP8',0x88:'DUP9',0x89:'DUP10',0x8a:'DUP11',0x8b:'DUP12',0x8c:'DUP13',0x8d:'DUP14',0x8e:'DUP15',0x8f:'DUP16',
[codex:390577] 0x90:'SWAP1',0x91:'SWAP2',0x92:'SWAP3',0x93:'SWAP4',0x94:'SWAP5',0x95:'SWAP6',0x96:'SWAP7',0x97:'SWAP8',0x98:'SWAP9',0x99:'SWAP10',0x9a:'SWAP11',0x9b:'SWAP12',0x9c:'SWAP13',0x9d:'SWAP14',0x9e:'SWAP15',0x9f:'SWAP16',
[codex:390577] 0xa0:'LOG0',0xa1:'LOG1',0xa2:'LOG2',0xa3:'LOG3',0xa4:'LOG4',
[codex:390577] 0xf0:'CREATE',0xf1:'CALL',0xf2:'CALLCODE',0xf3:'RETURN',0xf4:'DELEGATECALL',0xf5:'CREATE2',0xfa:'STATICCALL',0xfd:'REVERT',0xfe:'INVALID',0xff:'SELFDESTRUCT'
[codex:390577] }
[codex:390577] opcodes.update(base)
[codex:390577] code = bytes.fromhex(hexdata)
[codex:390577] # disassemble function to show around offset
[codex:390577]
[codex:390577] def disasm(start, end):
[codex:390577] i = start
[codex:390577] out = []
[codex:390577] while i < end:
[codex:390577] op = code[i]
[codex:390577] if 0x60 <= op <= 0x7f:
[codex:390577] n = op - 0x5f
[codex:390577] data = code[i+1:i+1+n]
[codex:390577] out.append((i, f'{opcodes[op]} 0x{data.hex()}'))
[codex:390577] i += 1 + n
[codex:390577] else:
[codex:390577] out.append((i, opcodes.get(op, f'OP_{op:02x}')))
[codex:390577] i += 1
[codex:390577] return out
[codex:390577]
[codex:390577] # show disasm around key offsets
[codex:390577] for start in [0x218,0x2ff,0x345,0x36e,0x4d3,0x682,0x7c5,0x82c]:
[codex:390577] print('\\n== disasm 0x%04x ==' % start)
[codex:390577] for off,op in disasm(start, start+0x80):
[codex:390577] print(f'{off:04x}: {op}')
[codex:390577] PY" in /tmp/codex-multi-9j3h3wxd succeeded in 42ms:
[codex:390577]
[codex:390577] == disasm 0x0218 ==
[codex:390577] 0218: JUMPDEST
[codex:390577] 0219: PUSH1 0x00
[codex:390577] 021b: DUP1
[codex:390577] 021c: PUSH1 0x60
[codex:390577] 021e: PUSH1 0x00
[codex:390577] 0220: DUP1
[codex:390577] 0221: PUSH2 0x0228
[codex:390577] 0224: PUSH2 0x0851
[codex:390577] 0227: JUMP
[codex:390577] 0228: JUMPDEST
[codex:390577] 0229: PUSH1 0x00
[codex:390577] 022b: DUP1
[codex:390577] 022c: DUP9
[codex:390577] 022d: PUSH1 0x00
[codex:390577] 022f: ADD
[codex:390577] 0230: MLOAD
[codex:390577] 0231: SWAP7
[codex:390577] 0232: POP
[codex:390577]
[codex:390577] thinking
[codex:390577] **Analyzing CALL parameters and ecrecover usage**
[codex:390577]
[codex:390577] I'm piecing together the CALL stack setup at function 0x7c5 to confirm it targets the ecrecover precompile at address 1, which fits a signature verification pattern. I see they push value=0 and to=1, matching ecrecover, so this function likely recovers addresses from signatures. Next, I want to check if the signed message includes a nonce or contract address to prevent replay attacks, so I plan to inspect the hash-building function at 0x36e by disassembling more around 0x03ea using Python for a full view.
[codex:390577] exec
[codex:390577] /bin/bash -lc "python - <<'PY'
[codex:390577] import re
[codex:390577] from pathlib import Path
[codex:390577] hexdata = Path('BYTECODE_BUNDLE.txt').read_text().split('0x',1)[1].strip().split('\\n',1)[0].strip()
[codex:390577] hexdata = re.sub(r'["'^0-9a-fA-F]'"', '', hexdata)
[codex:390577] code = bytes.fromhex(hexdata)
[codex:390577] # minimal opcode mapping
[codex:390577] opcodes = {i: f'PUSH{i-0x5f}' for i in range(0x60,0x80)}
[codex:390577] base = {0x00:'STOP',0x01:'ADD',0x02:'MUL',0x03:'SUB',0x04:'DIV',0x05:'SDIV',0x06:'MOD',0x07:'SMOD',0x08:'ADDMOD',0x09:'MULMOD',0x0a:'EXP',0x0b:'SIGNEXTEND',
[codex:390577] 0x10:'LT',0x11:'GT',0x12:'SLT',0x13:'SGT',0x14:'EQ',0x15:'ISZERO',0x16:'AND',0x17:'OR',0x18:'XOR',0x19:'NOT',0x1a:'BYTE',0x1b:'SHL',0x1c:'SHR',0x1d:'SAR',
[codex:390577] 0x20:'SHA3',0x30:'ADDRESS',0x31:'BALANCE',0x32:'ORIGIN',0x33:'CALLER',0x34:'CALLVALUE',0x35:'CALLDATALOAD',0x36:'CALLDATASIZE',0x37:'CALLDATACOPY',0x38:'CODESIZE',0x39:'CODECOPY',0x3a:'GASPRICE',0x3b:'EXTCODESIZE',0x3c:'EXTCODECOPY',0x3d:'RETURNDATASIZE',0x3e:'RETURNDATACOPY',0x3f:'EXTCODEHASH',
[codex:390577] 0x40:'BLOCKHASH',0x41:'COINBASE',0x42:'TIMESTAMP',0x43:'NUMBER',0x44:'DIFFICULTY',0x45:'GASLIMIT',0x46:'CHAINID',0x47:'SELFBALANCE',0x48:'BASEFEE',
[codex:390577] 0x50:'POP',0x51:'MLOAD',0x52:'MSTORE',0x53:'MSTORE8',0x54:'SLOAD',0x55:'SSTORE',0x56:'JUMP',0x57:'JUMPI',0x58:'PC',0x59:'MSIZE',0x5a:'GAS',0x5b:'JUMPDEST',
[codex:390577] 0x80:'DUP1',0x81:'DUP2',0x82:'DUP3',0x83:'DUP4',0x84:'DUP5',0x85:'DUP6',0x86:'DUP7',0x87:'DUP8',0x88:'DUP9',0x89:'DUP10',0x8a:'DUP11',0x8b:'DUP12',0x8c:'DUP13',0x8d:'DUP14',0x8e:'DUP15',0x8f:'DUP16',
[codex:390577] 0x90:'SWAP1',0x91:'SWAP2',0x92:'SWAP3',0x93:'SWAP4',0x94:'SWAP5',0x95:'SWAP6',0x96:'SWAP7',0x97:'SWAP8',0x98:'SWAP9',0x99:'SWAP10',0x9a:'SWAP11',0x9b:'SWAP12',0x9c:'SWAP13',0x9d:'SWAP14',0x9e:'SWAP15',0x9f:'SWAP16',
[codex:390577] 0xa0:'LOG0',0xa1:'LOG1',0xa2:'LOG2',0xa3:'LOG3',0xa4:'LOG4',
[codex:390577] 0xf0:'CREATE',0xf1:'CALL',0xf2:'CALLCODE',0xf3:'RETURN',0xf4:'DELEGATECALL',0xf5:'CREATE2',0xfa:'STATICCALL',0xfd:'REVERT',0xfe:'INVALID',0xff:'SELFDESTRUCT'}
[codex:390577] opcodes.update(base)
[codex:390577]
[codex:390577] def disasm(start, end):
[codex:390577] i=start
[codex:390577] while i<end:
[codex:390577] op=code[i]
[codex:390577] if 0x60<=op<=0x7f:
[codex:390577] n=op-0x5f
[codex:390577] data=code[i+1:i+1+n]
[codex:390577] print(f'{i:04x}: {opcodes[op]} 0x{data.hex()}')
[codex:390577] i+=1+n
[codex:390577] else:
[codex:390577] print(f'{i:04x}: {opcodes.get(op, f\"OP_{op:02x}\")}')
[codex:390577] i+=1
[codex:390577]
[codex:390577] # find end of function 0x36e by scanning until JUMPDEST of next function maybe 0x4d3? Actually 0x36e extends to before 0x4d3.
[codex:390577] # We'll disasm from 0x36e to 0x4d3
[codex:390577] print('disasm 0x36e-0x4d3')
[codex:390577] disasm(0x36e, 0x4d3)
[codex:390577] PY" in /tmp/codex-multi-9j3h3wxd succeeded in 27ms:
[codex:390577] disasm 0x36e-0x4d3
[codex:390577] 036e: JUMPDEST
[codex:390577] 036f: PUSH1 0x00
[codex:390577] 0371: DUP1
[codex:390577] 0372: DUP5
[codex:390577] 0373: DUP5
[codex:390577] 0374: DUP5
[codex:390577] 0375: PUSH1 0x40
[codex:390577] 0377: MLOAD
[codex:390577] 0378: DUP1
[codex:390577] 0379: DUP5
[codex:390577] 037a: PUSH20 0xffffffffffffffffffffffffffffffffffffffff
[codex:390577] 038f: AND
[codex:390577] 0390: PUSH20 0xffffffffffffffffffffffffffffffffffffffff
[codex:390577] 03a5: AND
[codex:390577] 03a6: PUSH13 0x01000000000000000000000000
[codex:390577] 03b4: MUL
[codex:390577] 03b5: DUP2
[codex:390577] 03b6: MSTORE
[codex:390577] 03b7: PUSH1 0x14
[codex:390577]
[codex:390577] thinking
[codex:390577] **Analyzing keccak hashing pattern**
[codex:390577] exec
[codex:390577] /bin/bash -lc "python - <<'PY'
[codex:390577] import re
[codex:390577] from pathlib import Path
[codex:390577] hexdata = Path('BYTECODE_BUNDLE.txt').read_text().split('0x',1)[1].strip().split('\\n',1)[0].strip()
[codex:390577] hexdata = re.sub(r'["'^0-9a-fA-F]'"', '', hexdata)
[codex:390577] code = bytes.fromhex(hexdata)
[codex:390577] ops = {i: f'PUSH{i-0x5f}' for i in range(0x60,0x80)}
[codex:390577] base={0x00:'STOP',0x01:'ADD',0x02:'MUL',0x03:'SUB',0x04:'DIV',0x05:'SDIV',0x06:'MOD',0x07:'SMOD',0x08:'ADDMOD',0x09:'MULMOD',0x0a:'EXP',0x0b:'SIGNEXTEND',0x10:'LT',0x11:'GT',0x12:'SLT',0x13:'SGT',0x14:'EQ',0x15:'ISZERO',0x16:'AND',0x17:'OR',0x18:'XOR',0x19:'NOT',0x1a:'BYTE',0x1b:'SHL',0x1c:'SHR',0x1d:'SAR',0x20:'SHA3',0x30:'ADDRESS',0x31:'BALANCE',0x32:'ORIGIN',0x33:'CALLER',0x34:'CALLVALUE',0x35:'CALLDATALOAD',0x36:'CALLDATASIZE',0x37:'CALLDATACOPY',0x38:'CODESIZE',0x39:'CODECOPY',0x3a:'GASPRICE',0x3b:'EXTCODESIZE',0x3c:'EXTCODECOPY',0x3d:'RETURNDATASIZE',0x3e:'RETURNDATACOPY',0x3f:'EXTCODEHASH',0x40:'BLOCKHASH',0x41:'COINBASE',0x42:'TIMESTAMP',0x43:'NUMBER',0x44:'DIFFICULTY',0x45:'GASLIMIT',0x46:'CHAINID',0x47:'SELFBALANCE',0x48:'BASEFEE',0x50:'POP',0x51:'MLOAD',0x52:'MSTORE',0x53:'MSTORE8',0x54:'SLOAD',0x55:'SSTORE',0x56:'JUMP',0x57:'JUMPI',0x58:'PC',0x59:'MSIZE',0x5a:'GAS',0x5b:'JUMPDEST',0x80:'DUP1',0x81:'DUP2',0x82:'DUP3',0x83:'DUP4',0x84:'DUP5',0x85:'DUP6',0x86:'DUP7',0x87:'DUP8',0x88:'DUP9',0x89:'DUP10',0x8a:'DUP11',0x8b:'DUP12',0x8c:'DUP13',0x8d:'DUP14',0x8e:'DUP15',0x8f:'DUP16',0x90:'SWAP1',0x91:'SWAP2',0x92:'SWAP3',0x93:'SWAP4',0x94:'SWAP5',0x95:'SWAP6',0x96:'SWAP7',0x97:'SWAP8',0x98:'SWAP9',0x99:'SWAP10',0x9a:'SWAP11',0x9b:'SWAP12',0x9c:'SWAP13',0x9d:'SWAP14',0x9e:'SWAP15',0x9f:'SWAP16',0xa0:'LOG0',0xa1:'LOG1',0xa2:'LOG2',0xa3:'LOG3',0xa4:'LOG4',0xf0:'CREATE',0xf1:'CALL',0xf2:'CALLCODE',0xf3:'RETURN',0xf4:'DELEGATECALL',0xf5:'CREATE2',0xfa:'STATICCALL',0xfd:'REVERT',0xfe:'INVALID',0xff:'SELFDESTRUCT'}
[codex:390577] ops.update(base)
[codex:390577]
[codex:390577] def disasm(start,end):
[codex:390577] i=start
[codex:390577] while i<end:
[codex:390577] op=code[i]
[codex:390577] if 0x60<=op<=0x7f:
[codex:390577] n=op-0x5f
[codex:390577] data=code[i+1:i+1+n]
[codex:390577] print(f'{i:04x}: {ops[op]} 0x{data.hex()}')
[codex:390577] i+=1+n
[codex:390577] else:
[codex:390577] print(f'{i:04x}: {ops.get(op, f\"OP_{op:02x}\")}')
[codex:390577] i+=1
[codex:390577]
[codex:390577] print('disasm 0x218-0x2ff')
[codex:390577] disasm(0x218,0x2ff)
[codex:390577] PY" in /tmp/codex-multi-9j3h3wxd succeeded in 27ms:
[codex:390577] disasm 0x218-0x2ff
[codex:390577] 0218: JUMPDEST
[codex:390577] 0219: PUSH1 0x00
[codex:390577] 021b: DUP1
[codex:390577] 021c: PUSH1 0x60
[codex:390577] 021e: PUSH1 0x00
[codex:390577] 0220: DUP1
[codex:390577] 0221: PUSH2 0x0228
[codex:390577] 0224: PUSH2 0x0851
[codex:390577] 0227: JUMP
[codex:390577] 0228: JUMPDEST
[codex:390577] 0229: PUSH1 0x00
[codex:390577] 022b: DUP1
[codex:390577] 022c: DUP9
[codex:390577] 022d: PUSH1 0x00
[codex:390577] 022f: ADD
[codex:390577] 0230: MLOAD
[codex:390577] 0231: SWAP7
[codex:390577] 0232: POP
[codex:390577] 0233: DUP9
[codex:390577]
[codex:390577] thinking
[codex:390577] **Analyzing function call and parameters**
[codex:390577] exec
[codex:390577] /bin/bash -lc "python - <<'PY'
[codex:390577] import re
[codex:390577] from pathlib import Path
[codex:390577] hexdata = Path('BYTECODE_BUNDLE.txt').read_text().split('0x',1)[1].strip().split('\\n',1)[0].strip()
[codex:390577] hexdata = re.sub(r'["'^0-9a-fA-F]'"', '', hexdata)
[codex:390577] code = bytes.fromhex(hexdata)
[codex:390577] ops = {i: f'PUSH{i-0x5f}' for i in range(0x60,0x80)}
[codex:390577] base={0x00:'STOP',0x01:'ADD',0x02:'MUL',0x03:'SUB',0x04:'DIV',0x05:'SDIV',0x06:'MOD',0x07:'SMOD',0x08:'ADDMOD',0x09:'MULMOD',0x0a:'EXP',0x0b:'SIGNEXTEND',0x10:'LT',0x11:'GT',0x12:'SLT',0x13:'SGT',0x14:'EQ',0x15:'ISZERO',0x16:'AND',0x17:'OR',0x18:'XOR',0x19:'NOT',0x1a:'BYTE',0x1b:'SHL',0x1c:'SHR',0x1d:'SAR',0x20:'SHA3',0x30:'ADDRESS',0x31:'BALANCE',0x32:'ORIGIN',0x33:'CALLER',0x34:'CALLVALUE',0x35:'CALLDATALOAD',0x36:'CALLDATASIZE',0x37:'CALLDATACOPY',0x38:'CODESIZE',0x39:'CODECOPY',0x3a:'GASPRICE',0x3b:'EXTCODESIZE',0x3c:'EXTCODECOPY',0x3d:'RETURNDATASIZE',0x3e:'RETURNDATACOPY',0x3f:'EXTCODEHASH',0x40:'BLOCKHASH',0x41:'COINBASE',0x42:'TIMESTAMP',0x43:'NUMBER',0x44:'DIFFICULTY',0x45:'GASLIMIT',0x46:'CHAINID',0x47:'SELFBALANCE',0x48:'BASEFEE',0x50:'POP',0x51:'MLOAD',0x52:'MSTORE',0x53:'MSTORE8',0x54:'SLOAD',0x55:'SSTORE',0x56:'JUMP',0x57:'JUMPI',0x58:'PC',0x59:'MSIZE',0x5a:'GAS',0x5b:'JUMPDEST',0x80:'DUP1',0x81:'DUP2',0x82:'DUP3',0x83:'DUP4',0x84:'DUP5',0x85:'DUP6',0x86:'DUP7',0x87:'DUP8',0x88:'DUP9',0x89:'DUP10',0x8a:'DUP11',0x8b:'DUP12',0x8c:'DUP13',0x8d:'DUP14',0x8e:'DUP15',0x8f:'DUP16',0x90:'SWAP1',0x91:'SWAP2',0x92:'SWAP3',0x93:'SWAP4',0x94:'SWAP5',0x95:'SWAP6',0x96:'SWAP7',0x97:'SWAP8',0x98:'SWAP9',0x99:'SWAP10',0x9a:'SWAP11',0x9b:'SWAP12',0x9c:'SWAP13',0x9d:'SWAP14',0x9e:'SWAP15',0x9f:'SWAP16',0xa0:'LOG0',0xa1:'LOG1',0xa2:'LOG2',0xa3:'LOG3',0xa4:'LOG4',0xf0:'CREATE',0xf1:'CALL',0xf2:'CALLCODE',0xf3:'RETURN',0xf4:'DELEGATECALL',0xf5:'CREATE2',0xfa:'STATICCALL',0xfd:'REVERT',0xfe:'INVALID',0xff:'SELFDESTRUCT'}
[codex:390577] ops.update(base)
[codex:390577]
[codex:390577] def disasm(start,end):
[codex:390577] i=start
[codex:390577] while i<end:
[codex:390577] op=code[i]
[codex:390577] if 0x60<=op<=0x7f:
[codex:390577] n=op-0x5f
[codex:390577] data=code[i+1:i+1+n]
[codex:390577] print(f'{i:04x}: {ops[op]} 0x{data.hex()}')
[codex:390577] i+=1+n
[codex:390577] else:
[codex:390577] print(f'{i:04x}: {ops.get(op, f\"OP_{op:02x}\")}')
[codex:390577] i+=1
[codex:390577]
[codex:390577] print('disasm 0x4d3-0x682')
[codex:390577] disasm(0x4d3,0x682)
[codex:390577] PY" in /tmp/codex-multi-9j3h3wxd succeeded in 27ms:
[codex:390577] disasm 0x4d3-0x682
[codex:390577] 04d3: JUMPDEST
[codex:390577] 04d4: PUSH1 0x00
[codex:390577] 04d6: PUSH1 0x60
[codex:390577] 04d8: PUSH1 0x00
[codex:390577] 04da: DUP1
[codex:390577] 04db: DUP5
[codex:390577] 04dc: PUSH1 0x00
[codex:390577] 04de: ADD
[codex:390577] 04df: MLOAD
[codex:390577] 04e0: SWAP4
[codex:390577] 04e1: POP
[codex:390577] 04e2: DUP5
[codex:390577] 04e3: PUSH1 0x20
[codex:390577] 04e5: ADD
[codex:390577] 04e6: MLOAD
[codex:390577] 04e7: SWAP3
[codex:390577] 04e8: POP
[codex:390577] 04e9: DUP5
[codex:390577] 04ea: PUSH1 0x40
[codex:390577]
[codex:390577] thinking
[codex:390577] **Analyzing memory struct and array access patterns**
[codex:390577] exec
[codex:390577] /bin/bash -lc "python - <<'PY'
[codex:390577] import re
[codex:390577] from pathlib import Path
[codex:390577] hexdata = Path('BYTECODE_BUNDLE.txt').read_text().split('0x',1)[1].strip().split('\\n',1)[0].strip()
[codex:390577] hexdata = re.sub(r'["'^0-9a-fA-F]'"', '', hexdata)
[codex:390577] code = bytes.fromhex(hexdata)
[codex:390577] ops = {i: f'PUSH{i-0x5f}' for i in range(0x60,0x80)}
[codex:390577] base={0x00:'STOP',0x01:'ADD',0x02:'MUL',0x03:'SUB',0x04:'DIV',0x05:'SDIV',0x06:'MOD',0x07:'SMOD',0x08:'ADDMOD',0x09:'MULMOD',0x0a:'EXP',0x0b:'SIGNEXTEND',0x10:'LT',0x11:'GT',0x12:'SLT',0x13:'SGT',0x14:'EQ',0x15:'ISZERO',0x16:'AND',0x17:'OR',0x18:'XOR',0x19:'NOT',0x1a:'BYTE',0x1b:'SHL',0x1c:'SHR',0x1d:'SAR',0x20:'SHA3',0x30:'ADDRESS',0x31:'BALANCE',0x32:'ORIGIN',0x33:'CALLER',0x34:'CALLVALUE',0x35:'CALLDATALOAD',0x36:'CALLDATASIZE',0x37:'CALLDATACOPY',0x38:'CODESIZE',0x39:'CODECOPY',0x3a:'GASPRICE',0x3b:'EXTCODESIZE',0x3c:'EXTCODECOPY',0x3d:'RETURNDATASIZE',0x3e:'RETURNDATACOPY',0x3f:'EXTCODEHASH',0x40:'BLOCKHASH',0x41:'COINBASE',0x42:'TIMESTAMP',0x43:'NUMBER',0x44:'DIFFICULTY',0x45:'GASLIMIT',0x46:'CHAINID',0x47:'SELFBALANCE',0x48:'BASEFEE',0x50:'POP',0x51:'MLOAD',0x52:'MSTORE',0x53:'MSTORE8',0x54:'SLOAD',0x55:'SSTORE',0x56:'JUMP',0x57:'JUMPI',0x58:'PC',0x59:'MSIZE',0x5a:'GAS',0x5b:'JUMPDEST',0x80:'DUP1',0x81:'DUP2',0x82:'DUP3',0x83:'DUP4',0x84:'DUP5',0x85:'DUP6',0x86:'DUP7',0x87:'DUP8',0x88:'DUP9',0x89:'DUP10',0x8a:'DUP11',0x8b:'DUP12',0x8c:'DUP13',0x8d:'DUP14',0x8e:'DUP15',0x8f:'DUP16',0x90:'SWAP1',0x91:'SWAP2',0x92:'SWAP3',0x93:'SWAP4',0x94:'SWAP5',0x95:'SWAP6',0x96:'SWAP7',0x97:'SWAP8',0x98:'SWAP9',0x99:'SWAP10',0x9a:'SWAP11',0x9b:'SWAP12',0x9c:'SWAP13',0x9d:'SWAP14',0x9e:'SWAP15',0x9f:'SWAP16',0xa0:'LOG0',0xa1:'LOG1',0xa2:'LOG2',0xa3:'LOG3',0xa4:'LOG4',0xf0:'CREATE',0xf1:'CALL',0xf2:'CALLCODE',0xf3:'RETURN',0xf4:'DELEGATECALL',0xf5:'CREATE2',0xfa:'STATICCALL',0xfd:'REVERT',0xfe:'INVALID',0xff:'SELFDESTRUCT'}
[codex:390577] ops.update(base)
[codex:390577]
[codex:390577] def disasm(start,end):
[codex:390577] i=start
[codex:390577] while i<end:
[codex:390577] op=code[i]
[codex:390577] if 0x60<=op<=0x7f:
[codex:390577] n=op-0x5f
[codex:390577] data=code[i+1:i+1+n]
[codex:390577] print(f'{i:04x}: {ops[op]} 0x{data.hex()}')
[codex:390577] i+=1+n
[codex:390577] else:
[codex:390577] print(f'{i:04x}: {ops.get(op, f\"OP_{op:02x}\")}')
[codex:390577] i+=1
[codex:390577]
[codex:390577] print('disasm 0x0c7e-0x0cfb')
[codex:390577] disasm(0x0c7e,0x0cfb)
[codex:390577] PY" in /tmp/codex-multi-9j3h3wxd succeeded in 28ms:
[codex:390577] disasm 0x0c7e-0x0cfb
[codex:390577] 0c7e: JUMPDEST
[codex:390577] 0c7f: PUSH1 0x00
[codex:390577] 0c81: PUSH1 0x20
[codex:390577] 0c83: DUP3
[codex:390577] 0c84: DUP5
[codex:390577] 0c85: SUB
[codex:390577] 0c86: SLT
[codex:390577] 0c87: ISZERO
[codex:390577] 0c88: PUSH2 0x0c90
[codex:390577] 0c8b: JUMPI
[codex:390577] 0c8c: PUSH1 0x00
[codex:390577] 0c8e: DUP1
[codex:390577] 0c8f: REVERT
[codex:390577] 0c90: JUMPDEST
[codex:390577] 0c91: PUSH1 0x00
[codex:390577] 0c93: DUP3
[codex:390577] 0c94: ADD
[codex:390577] 0c95: CALLDATALOAD
[codex:390577] 0c96: PUSH8 0xffffffffffffffff
[codex:390577]
[codex:390577] thinking
[codex:390577] **Analyzing bytes decoding and storage usage**
[codex:390577] exec
[codex:390577] /bin/bash -lc "python - <<'PY'
[codex:390577] import re
[codex:390577] from pathlib import Path
[codex:390577] hexdata = Path('BYTECODE_BUNDLE.txt').read_text().split('0x',1)[1].strip().split('\\n',1)[0].strip()
[codex:390577] hexdata = re.sub(r'["'^0-9a-fA-F]'"', '', hexdata)
[codex:390577] code = bytes.fromhex(hexdata)
[codex:390577] # find SSTORE opcodes
[codex:390577] sstore_offsets=[]
[codex:390577] for i,b in enumerate(code):
[codex:390577] if b==0x55:
[codex:390577] sstore_offsets.append(i)
[codex:390577] print('SSTORE offsets:', sstore_offsets)
[codex:390577] # find SLOAD offsets
[codex:390577] sload_offsets=[i for i,b in enumerate(code) if b==0x54]
[codex:390577] print('SLOAD count', len(sload_offsets),'first few', sload_offsets[:10])
[codex:390577] PY" in /tmp/codex-multi-9j3h3wxd succeeded in 28ms:
[codex:390577] SSTORE offsets: [334, 1869, 3044]
[codex:390577] SLOAD count 8 first few [595, 844, 1726, 1816, 2097, 3406, 3534, 3918]
[codex:390577]
[codex:390577] thinking
[codex:390577] **Analyzing SSTORE offsets**
[codex:390577] exec
[codex:390577] /bin/bash -lc "python - <<'PY'
[codex:390577] import re
[codex:390577] from pathlib import Path
[codex:390577] hexdata = Path('BYTECODE_BUNDLE.txt').read_text().split('0x',1)[1].strip().split('\\n',1)[0].strip()
[codex:390577] hexdata = re.sub(r'["'^0-9a-fA-F]'"', '', hexdata)
[codex:390577] code = bytes.fromhex(hexdata)
[codex:390577] ops = {i: f'PUSH{i-0x5f}' for i in range(0x60,0x80)}
[codex:390577] base={0x00:'STOP',0x01:'ADD',0x02:'MUL',0x03:'SUB',0x04:'DIV',0x05:'SDIV',0x06:'MOD',0x07:'SMOD',0x08:'ADDMOD',0x09:'MULMOD',0x0a:'EXP',0x0b:'SIGNEXTEND',0x10:'LT',0x11:'GT',0x12:'SLT',0x13:'SGT',0x14:'EQ',0x15:'ISZERO',0x16:'AND',0x17:'OR',0x18:'XOR',0x19:'NOT',0x1a:'BYTE',0x1b:'SHL',0x1c:'SHR',0x1d:'SAR',0x20:'SHA3',0x30:'ADDRESS',0x31:'BALANCE',0x32:'ORIGIN',0x33:'CALLER',0x34:'CALLVALUE',0x35:'CALLDATALOAD',0x36:'CALLDATASIZE',0x37:'CALLDATACOPY',0x38:'CODESIZE',0x39:'CODECOPY',0x3a:'GASPRICE',0x3b:'EXTCODESIZE',0x3c:'EXTCODECOPY',0x3d:'RETURNDATASIZE',0x3e:'RETURNDATACOPY',0x3f:'EXTCODEHASH',0x40:'BLOCKHASH',0x41:'COINBASE',0x42:'TIMESTAMP',0x43:'NUMBER',0x44:'DIFFICULTY',0x45:'GASLIMIT',0x46:'CHAINID',0x47:'SELFBALANCE',0x48:'BASEFEE',0x50:'POP',0x51:'MLOAD',0x52:'MSTORE',0x53:'MSTORE8',0x54:'SLOAD',0x55:'SSTORE',0x56:'JUMP',0x57:'JUMPI',0x58:'PC',0x59:'MSIZE',0x5a:'GAS',0x5b:'JUMPDEST',0x80:'DUP1',0x81:'DUP2',0x82:'DUP3',0x83:'DUP4',0x84:'DUP5',0x85:'DUP6',0x86:'DUP7',0x87:'DUP8',0x88:'DUP9',0x89:'DUP10',0x8a:'DUP11',0x8b:'DUP12',0x8c:'DUP13',0x8d:'DUP14',0x8e:'DUP15',0x8f:'DUP16',0x90:'SWAP1',0x91:'SWAP2',0x92:'SWAP3',0x93:'SWAP4',0x94:'SWAP5',0x95:'SWAP6',0x96:'SWAP7',0x97:'SWAP8',0x98:'SWAP9',0x99:'SWAP10',0x9a:'SWAP11',0x9b:'SWAP12',0x9c:'SWAP13',0x9d:'SWAP14',0x9e:'SWAP15',0x9f:'SWAP16',0xa0:'LOG0',0xa1:'LOG1',0xa2:'LOG2',0xa3:'LOG3',0xa4:'LOG4',0xf0:'CREATE',0xf1:'CALL',0xf2:'CALLCODE',0xf3:'RETURN',0xf4:'DELEGATECALL',0xf5:'CREATE2',0xfa:'STATICCALL',0xfd:'REVERT',0xfe:'INVALID',0xff:'SELFDESTRUCT'}
[codex:390577] ops.update(base)
[codex:390577]
[codex:390577] def disasm_range(center, before=10, after=10):
[codex:390577] start=max(0, center-before)
[codex:390577] end=min(len(code), center+after)
[codex:390577] i=start
[codex:390577] while i<end:
[codex:390577] op=code[i]
[codex:390577] if 0x60<=op<=0x7f:
[codex:390577] n=op-0x5f
[codex:390577] data=code[i+1:i+1+n]
[codex:390577] print(f'{i:04x}: {ops[op]} 0x{data.hex()}')
[codex:390577] i+=1+n
[codex:390577] else:
[codex:390577] print(f'{i:04x}: {ops.get(op, f\"OP_{op:02x}\")}')
[codex:390577] i+=1
[codex:390577]
[codex:390577] for off in [334,1869,3044]:
[codex:390577] print('\\nAround SSTORE at',off, hex(off))
[codex:390577] disasm_range(off, before=20, after=20)
[codex:390577] PY" in /tmp/codex-multi-9j3h3wxd succeeded in 29ms:
[codex:390577]
[codex:390577] Around SSTORE at 334 0x14e
[codex:390577] 013a: SWAP2
[codex:390577] 013b: SWAP1
[codex:390577] 013c: DUP2
[codex:390577] 013d: ADD
[codex:390577] 013e: SWAP1
[codex:390577] 013f: PUSH2 0x0c17
[codex:390577] 0142: JUMP
[codex:390577] 0143: JUMPDEST
[codex:390577] 0144: PUSH2 0x036e
[codex:390577] 0147: JUMP
[codex:390577] 0148: JUMPDEST
[codex:390577] 0149: PUSH1 0x40
[codex:390577] 014b: MLOAD
[codex:390577] 014c: PUSH2 0x0155
[codex:390577] 014f: SWAP2
[codex:390577] 0150: SWAP1
[codex:390577] 0151: PUSH2 0x0e91
[codex:390577] 0154: JUMP
[codex:390577]
[codex:390577] thinking
[codex:390577] **Analyzing SSTORE alignment issues**
[codex:390577] exec
[codex:390577] /bin/bash -lc "python - <<'PY'
[codex:390577] import re
[codex:390577] from pathlib import Path
[codex:390577] hexdata = Path('BYTECODE_BUNDLE.txt').read_text().split('0x',1)[1].strip().split('\\n',1)[0].strip()
[codex:390577] hexdata = re.sub(r'["'^0-9a-fA-F]'"', '', hexdata)
[codex:390577] code = bytes.fromhex(hexdata)
[codex:390577] ops = {i: f'PUSH{i-0x5f}' for i in range(0x60,0x80)}
[codex:390577] base={0x00:'STOP',0x01:'ADD',0x02:'MUL',0x03:'SUB',0x04:'DIV',0x05:'SDIV',0x06:'MOD',0x07:'SMOD',0x08:'ADDMOD',0x09:'MULMOD',0x0a:'EXP',0x0b:'SIGNEXTEND',0x10:'LT',0x11:'GT',0x12:'SLT',0x13:'SGT',0x14:'EQ',0x15:'ISZERO',0x16:'AND',0x17:'OR',0x18:'XOR',0x19:'NOT',0x1a:'BYTE',0x1b:'SHL',0x1c:'SHR',0x1d:'SAR',0x20:'SHA3',0x30:'ADDRESS',0x31:'BALANCE',0x32:'ORIGIN',0x33:'CALLER',0x34:'CALLVALUE',0x35:'CALLDATALOAD',0x36:'CALLDATASIZE',0x37:'CALLDATACOPY',0x38:'CODESIZE',0x39:'CODECOPY',0x3a:'GASPRICE',0x3b:'EXTCODESIZE',0x3c:'EXTCODECOPY',0x3d:'RETURNDATASIZE',0x3e:'RETURNDATACOPY',0x3f:'EXTCODEHASH',0x40:'BLOCKHASH',0x41:'COINBASE',0x42:'TIMESTAMP',0x43:'NUMBER',0x44:'DIFFICULTY',0x45:'GASLIMIT',0x46:'CHAINID',0x47:'SELFBALANCE',0x48:'BASEFEE',0x50:'POP',0x51:'MLOAD',0x52:'MSTORE',0x53:'MSTORE8',0x54:'SLOAD',0x55:'SSTORE',0x56:'JUMP',0x57:'JUMPI',0x58:'PC',0x59:'MSIZE',0x5a:'GAS',0x5b:'JUMPDEST',0x80:'DUP1',0x81:'DUP2',0x82:'DUP3',0x83:'DUP4',0x84:'DUP5',0x85:'DUP6',0x86:'DUP7',0x87:'DUP8',0x88:'DUP9',0x89:'DUP10',0x8a:'DUP11',0x8b:'DUP12',0x8c:'DUP13',0x8d:'DUP14',0x8e:'DUP15',0x8f:'DUP16',0x90:'SWAP1',0x91:'SWAP2',0x92:'SWAP3',0x93:'SWAP4',0x94:'SWAP5',0x95:'SWAP6',0x96:'SWAP7',0x97:'SWAP8',0x98:'SWAP9',0x99:'SWAP10',0x9a:'SWAP11',0x9b:'SWAP12',0x9c:'SWAP13',0x9d:'SWAP14',0x9e:'SWAP15',0x9f:'SWAP16',0xa0:'LOG0',0xa1:'LOG1',0xa2:'LOG2',0xa3:'LOG3',0xa4:'LOG4',0xf0:'CREATE',0xf1:'CALL',0xf2:'CALLCODE',0xf3:'RETURN',0xf4:'DELEGATECALL',0xf5:'CREATE2',0xfa:'STATICCALL',0xfd:'REVERT',0xfe:'INVALID',0xff:'SELFDESTRUCT'}
[codex:390577] ops.update(base)
[codex:390577]
[codex:390577] def disasm(start,end):
[codex:390577] i=start
[codex:390577] while i<end:
[codex:390577] op=code[i]
[codex:390577] if 0x60<=op<=0x7f:
[codex:390577] n=op-0x5f
[codex:390577] data=code[i+1:i+1+n]
[codex:390577] print(f'{i:04x}: {ops[op]} 0x{data.hex()}')
[codex:390577] i+=1+n
[codex:390577] else:
[codex:390577] print(f'{i:04x}: {ops.get(op, f\"OP_{op:02x}\")}')
[codex:390577] i+=1
[codex:390577]
[codex:390577] print('disasm 0x682-0x7c5')
[codex:390577] disasm(0x682,0x7c5)
[codex:390577] PY" in /tmp/codex-multi-9j3h3wxd succeeded in 29ms:
[codex:390577] disasm 0x682-0x7c5
[codex:390577] 0682: JUMPDEST
[codex:390577] 0683: PUSH32 0x4f7b0265dc15e282f56ae0820603286a6547460256b0fe068e6ed578cb3d8bb6
[codex:390577] 06a4: DUP2
[codex:390577] 06a5: PUSH1 0x40
[codex:390577] 06a7: MLOAD
[codex:390577] 06a8: PUSH2 0x06b1
[codex:390577] 06ab: SWAP2
[codex:390577] 06ac: SWAP1
[codex:390577] 06ad: PUSH2 0x0e32
[codex:390577] 06b0: JUMP
[codex:390577] 06b1: JUMPDEST
[codex:390577] 06b2: PUSH1 0x40
[codex:390577] 06b4: MLOAD
[codex:390577] 06b5: DUP1
[codex:390577] 06b6: SWAP2
[codex:390577] 06b7: SUB
[codex:390577] 06b8: SWAP1
[codex:390577] 06b9: LOG1
[codex:390577] 06ba: PUSH1 0x00
[codex:390577]
[codex:390577] thinking
[codex:390577] **Analyzing replay vulnerability potential**
[codex:390577]
[codex:390577] I'm carefully tracing the contract’s use of storage and stack to confirm there’s no nonce or state change preventing replay attacks. It looks like signature verification happens without nonce tracking, meaning valid signatures could be reused to repeat transactions, risking fund drainage. I’m digging into how the transaction hash is constructed to see if it includes any unique, replay-preventing data like a nonce—so far, it seems to hash just address, bytes, and a uint256, likely excluding nonce or chain ID, which raises concerns about replayability.
[codex:390577] exec
[codex:390577] /bin/bash -lc "python - <<'PY'
[codex:390577] import re
[codex:390577] from pathlib import Path
[codex:390577] hexdata = Path('BYTECODE_BUNDLE.txt').read_text().split('0x',1)[1].strip().split('\\n',1)[0].strip()
[codex:390577] hexdata = re.sub(r'["'^0-9a-fA-F]'"', '', hexdata)
[codex:390577] code = bytes.fromhex(hexdata)
[codex:390577] ops = {i: f'PUSH{i-0x5f}' for i in range(0x60,0x80)}
[codex:390577] base={0x00:'STOP',0x01:'ADD',0x02:'MUL',0x03:'SUB',0x04:'DIV',0x05:'SDIV',0x06:'MOD',0x07:'SMOD',0x08:'ADDMOD',0x09:'MULMOD',0x0a:'EXP',0x0b:'SIGNEXTEND',0x10:'LT',0x11:'GT',0x12:'SLT',0x13:'SGT',0x14:'EQ',0x15:'ISZERO',0x16:'AND',0x17:'OR',0x18:'XOR',0x19:'NOT',0x1a:'BYTE',0x1b:'SHL',0x1c:'SHR',0x1d:'SAR',0x20:'SHA3',0x30:'ADDRESS',0x31:'BALANCE',0x32:'ORIGIN',0x33:'CALLER',0x34:'CALLVALUE',0x35:'CALLDATALOAD',0x36:'CALLDATASIZE',0x37:'CALLDATACOPY',0x38:'CODESIZE',0x39:'CODECOPY',0x3a:'GASPRICE',0x3b:'EXTCODESIZE',0x3c:'EXTCODECOPY',0x3d:'RETURNDATASIZE',0x3e:'RETURNDATACOPY',0x3f:'EXTCODEHASH',0x40:'BLOCKHASH',0x41:'COINBASE',0x42:'TIMESTAMP',0x43:'NUMBER',0x44:'DIFFICULTY',0x45:'GASLIMIT',0x46:'CHAINID',0x47:'SELFBALANCE',0x48:'BASEFEE',0x50:'POP',0x51:'MLOAD',0x52:'MSTORE',0x53:'MSTORE8',0x54:'SLOAD',0x55:'SSTORE',0x56:'JUMP',0x57:'JUMPI',0x58:'PC',0x59:'MSIZE',0x5a:'GAS',0x5b:'JUMPDEST',0x80:'DUP1',0x81:'DUP2',0x82:'DUP3',0x83:'DUP4',0x84:'DUP5',0x85:'DUP6',0x86:'DUP7',0x87:'DUP8',0x88:'DUP9',0x89:'DUP10',0x8a:'DUP11',0x8b:'DUP12',0x8c:'DUP13',0x8d:'DUP14',0x8e:'DUP15',0x8f:'DUP16',0x90:'SWAP1',0x91:'SWAP2',0x92:'SWAP3',0x93:'SWAP4',0x94:'SWAP5',0x95:'SWAP6',0x96:'SWAP7',0x97:'SWAP8',0x98:'SWAP9',0x99:'SWAP10',0x9a:'SWAP11',0x9b:'SWAP12',0x9c:'SWAP13',0x9d:'SWAP14',0x9e:'SWAP15',0x9f:'SWAP16',0xa0:'LOG0',0xa1:'LOG1',0xa2:'LOG2',0xa3:'LOG3',0xa4:'LOG4',0xf0:'CREATE',0xf1:'CALL',0xf2:'CALLCODE',0xf3:'RETURN',0xf4:'DELEGATECALL',0xf5:'CREATE2',0xfa:'STATICCALL',0xfd:'REVERT',0xfe:'INVALID',0xff:'SELFDESTRUCT'}
[codex:390577] ops.update(base)
[codex:390577]
[codex:390577] def disasm(start,end):
[codex:390577] i=start
[codex:390577] while i<end:
[codex:390577] op=code[i]
[codex:390577] if 0x60<=op<=0x7f:
[codex:390577] n=op-0x5f
[codex:390577] data=code[i+1:i+1+n]
[codex:390577] print(f'{i:04x}: {ops[op]} 0x{data.hex()}')
[codex:390577] i+=1+n
[codex:390577] else:
[codex:390577] print(f'{i:04x}: {ops.get(op, f\"OP_{op:02x}\")}')
[codex:390577] i+=1
[codex:390577]
[codex:390577] print('disasm 0x0cfb-0x0d0d')
[codex:390577] disasm(0x0cfb,0x0d0d)
[codex:390577] PY" in /tmp/codex-multi-9j3h3wxd succeeded in 27ms:
[codex:390577] disasm 0x0cfb-0x0d0d
[codex:390577] 0cfb: JUMPDEST
[codex:390577] 0cfc: PUSH1 0x00
[codex:390577] 0cfe: PUSH1 0x20
[codex:390577] 0d00: DUP3
[codex:390577] 0d01: DUP5
[codex:390577] 0d02: SUB
[codex:390577] 0d03: SLT
[codex:390577] 0d04: ISZERO
[codex:390577] 0d05: PUSH2 0x0d0d
[codex:390577] 0d08: JUMPI
[codex:390577] 0d09: PUSH1 0x00
[codex:390577] 0d0b: DUP1
[codex:390577] 0d0c: REVERT
[codex:390577]
[codex:390577] thinking
[codex:390577] **Extending data range for review**
[codex:390577] exec
[codex:390577] /bin/bash -lc "python - <<'PY'
[codex:390577] import re
[codex:390577] from pathlib import Path
[codex:390577] hexdata = Path('BYTECODE_BUNDLE.txt').read_text().split('0x',1)[1].strip().split('\\n',1)[0].strip()
[codex:390577] hexdata = re.sub(r'["'^0-9a-fA-F]'"', '', hexdata)
[codex:390577] code = bytes.fromhex(hexdata)
[codex:390577] ops = {i: f'PUSH{i-0x5f}' for i in range(0x60,0x80)}
[codex:390577] base={0x00:'STOP',0x01:'ADD',0x02:'MUL',0x03:'SUB',0x04:'DIV',0x05:'SDIV',0x06:'MOD',0x07:'SMOD',0x08:'ADDMOD',0x09:'MULMOD',0x0a:'EXP',0x0b:'SIGNEXTEND',0x10:'LT',0x11:'GT',0x12:'SLT',0x13:'SGT',0x14:'EQ',0x15:'ISZERO',0x16:'AND',0x17:'OR',0x18:'XOR',0x19:'NOT',0x1a:'BYTE',0x1b:'SHL',0x1c:'SHR',0x1d:'SAR',0x20:'SHA3',0x30:'ADDRESS',0x31:'BALANCE',0x32:'ORIGIN',0x33:'CALLER',0x34:'CALLVALUE',0x35:'CALLDATALOAD',0x36:'CALLDATASIZE',0x37:'CALLDATACOPY',0x38:'CODESIZE',0x39:'CODECOPY',0x3a:'GASPRICE',0x3b:'EXTCODESIZE',0x3c:'EXTCODECOPY',0x3d:'RETURNDATASIZE',0x3e:'RETURNDATACOPY',0x3f:'EXTCODEHASH',0x40:'BLOCKHASH',0x41:'COINBASE',0x42:'TIMESTAMP',0x43:'NUMBER',0x44:'DIFFICULTY',0x45:'GASLIMIT',0x46:'CHAINID',0x47:'SELFBALANCE',0x48:'BASEFEE',0x50:'POP',0x51:'MLOAD',0x52:'MSTORE',0x53:'MSTORE8',0x54:'SLOAD',0x55:'SSTORE',0x56:'JUMP',0x57:'JUMPI',0x58:'PC',0x59:'MSIZE',0x5a:'GAS',0x5b:'JUMPDEST',0x80:'DUP1',0x81:'DUP2',0x82:'DUP3',0x83:'DUP4',0x84:'DUP5',0x85:'DUP6',0x86:'DUP7',0x87:'DUP8',0x88:'DUP9',0x89:'DUP10',0x8a:'DUP11',0x8b:'DUP12',0x8c:'DUP13',0x8d:'DUP14',0x8e:'DUP15',0x8f:'DUP16',0x90:'SWAP1',0x91:'SWAP2',0x92:'SWAP3',0x93:'SWAP4',0x94:'SWAP5',0x95:'SWAP6',0x96:'SWAP7',0x97:'SWAP8',0x98:'SWAP9',0x99:'SWAP10',0x9a:'SWAP11',0x9b:'SWAP12',0x9c:'SWAP13',0x9d:'SWAP14',0x9e:'SWAP15',0x9f:'SWAP16',0xa0:'LOG0',0xa1:'LOG1',0xa2:'LOG2',0xa3:'LOG3',0xa4:'LOG4',0xf0:'CREATE',0xf1:'CALL',0xf2:'CALLCODE',0xf3:'RETURN',0xf4:'DELEGATECALL',0xf5:'CREATE2',0xfa:'STATICCALL',0xfd:'REVERT',0xfe:'INVALID',0xff:'SELFDESTRUCT'}
[codex:390577] ops.update(base)
[codex:390577]
[codex:390577] def disasm(start,end):
[codex:390577] i=start
[codex:390577] while i<end:
[codex:390577] op=code[i]
[codex:390577] if 0x60<=op<=0x7f:
[codex:390577] n=op-0x5f
[codex:390577] data=code[i+1:i+1+n]
[codex:390577] print(f'{i:04x}: {ops[op]} 0x{data.hex()}')
[codex:390577] i+=1+n
[codex:390577] else:
[codex:390577] print(f'{i:04x}: {ops.get(op, f\"OP_{op:02x}\")}')
[codex:390577] i+=1
[codex:390577]
[codex:390577] print('disasm 0x0cfb-0x0d45')
[codex:390577] disasm(0x0cfb,0x0d45)
[codex:390577] PY" in /tmp/codex-multi-9j3h3wxd succeeded in 26ms:
[codex:390577] disasm 0x0cfb-0x0d45
[codex:390577] 0cfb: JUMPDEST
[codex:390577] 0cfc: PUSH1 0x00
[codex:390577] 0cfe: PUSH1 0x20
[codex:390577] 0d00: DUP3
[codex:390577] 0d01: DUP5
[codex:390577] 0d02: SUB
[codex:390577] 0d03: SLT
[codex:390577] 0d04: ISZERO
[codex:390577] 0d05: PUSH2 0x0d0d
[codex:390577] 0d08: JUMPI
[codex:390577] 0d09: PUSH1 0x00
[codex:390577] 0d0b: DUP1
[codex:390577] 0d0c: REVERT
[codex:390577] 0d0d: JUMPDEST
[codex:390577] 0d0e: PUSH1 0x00
[codex:390577] 0d10: DUP3
[codex:390577] 0d11: ADD
[codex:390577] 0d12: CALLDATALOAD
[codex:390577] 0d13: PUSH8 0xffffffffffffffff
[codex:390577]
[codex:390577]
[codex:390577] thinking
[codex:390577] **Analyzing transaction execution and signature verification**
[codex:390577] thinking
[codex:390577] **Verifying absence of nonce and replay protections**
[codex:390577]
[codex:390577] I'm checking for any storage updates that might track a nonce or prevent replay, finding none beyond setting the controller. I’m inspecting the signed data construction to see if unique identifiers like chain ID or contract address are included, but it looks like only the controller address and transaction bytes are hashed, which suggests replay remains possible without additional protections.
[codex:390577] exec
[codex:390577] /bin/bash -lc "python - <<'PY'
[codex:390577] import re
[codex:390577] from pathlib import Path
[codex:390577] hexdata = Path('BYTECODE_BUNDLE.txt').read_text().split('0x',1)[1].strip().split('\\n',1)[0].strip()
[codex:390577] hexdata = re.sub(r'["'^0-9a-fA-F]'"', '', hexdata)
[codex:390577] code = bytes.fromhex(hexdata)
[codex:390577] selfdestruct_offsets=[i for i,b in enumerate(code) if b==0xff]
[codex:390577] print('SELFDESTRUCT offsets:', selfdestruct_offsets[:20], 'count', len(selfdestruct_offsets))
[codex:390577] PY" in /tmp/codex-multi-9j3h3wxd succeeded in 32ms:
[codex:390577] SELFDESTRUCT offsets: [49, 50, 51, 52, 242, 604, 605, 606, 607, 608, 609, 610, 611, 612, 613, 614, 615, 616, 617, 618] count 422
[codex:390577]
[codex:390577] thinking
[codex:390577] **Analyzing replay attack feasibility**
[codex:390577] exec
[codex:390577] /bin/bash -lc 'cat codex-output-schema.json' in /tmp/codex-multi-9j3h3wxd succeeded in 5ms:
[codex:390577] {"type": "object", "additionalProperties": false, "required": ["no_findings", "summary", "findings"], "properties": {"no_findings": {"type": "boolean"}, "summary": {"type": "string"}, "findings": {"type": "array", "items": {"type": "object", "additionalProperties": false, "required": ["severity", "category", "title", "evidence", "locations", "exploit_scenario", "recommendation"], "properties": {"severity": {"type": "string", "enum": ["info", "low", "medium", "high", "critical"]}, "category": {"type": "string", "enum": ["access_control", "reentrancy", "math", "oracle", "upgradeability", "auth", "other"]}, "title": {"type": "string"}, "exploit_scenario": {"type": "string"}, "recommendation": {"type": "string"}, "evidence": {"type": "string"}, "locations": {"type": "array", "items": {"type": "string"}}}}}}}
[codex:390577]
[codex:390577] thinking
[codex:390577] **Analyzing exploitability of signature replay vulnerability**
[codex:390577] exec
[codex:390577] /bin/bash -lc "python - <<'PY'
[codex:390577] import re
[codex:390577] from pathlib import Path
[codex:390577] hexdata = Path('BYTECODE_BUNDLE.txt').read_text().split('0x',1)[1].strip().split('\\n',1)[0].strip()
[codex:390577] hexdata = re.sub(r'["'^0-9a-fA-F]'"', '', hexdata)
[codex:390577] code = bytes.fromhex(hexdata)
[codex:390577] for op,name in [(0x42,'TIMESTAMP'),(0x43,'NUMBER'),(0x46,'CHAINID'),(0x30,'ADDRESS')]:
[codex:390577] offs=[i for i,b in enumerate(code) if b==op]
[codex:390577] print(name, len(offs), offs[:10])
[codex:390577] PY" in /tmp/codex-multi-9j3h3wxd succeeded in 27ms:
[codex:390577] TIMESTAMP 4 [1542, 1621, 2619, 2875]
[codex:390577] NUMBER 4 [313, 1873, 1950, 3441]
[codex:390577] CHAINID 1 [1686]
[codex:390577] ADDRESS 2 [78, 4216]
[codex:390577]
[codex:390577] thinking
[codex:390577] **Analyzing replay vulnerability in contract bytecode**
[codex:390577]
[codex:390577] This is a thorough dive into contract bytecode revealing a replay attack vector due to missing nonce or used-hash tracking. I’m piecing together evidence from multiple offsets to confirm anyone can replay a valid signed transaction to repeatedly withdraw funds, highlighting a clear profit path for an attacker holding a signed payload. This looks like a concrete exploit scenario worth reporting with detailed findings and recommendations.
[codex:390577] codex
[codex:390577] {"no_findings":false,"summary":"Signature-based execution is replayable: the contract verifies signatures but never stores/consumes a nonce or hash, so any valid signed transaction can be executed repeatedly to drain funds if you can obtain one payout signature.","findings":[{"severity":"high","category":"auth","title":"Replayable signed transactions (no nonce/used-hash tracking) allow repeated withdrawals","exploit_scenario":"1) Observe or obtain a valid signed transaction payload (e.g., a one-time payout to your address) used with selector 0x62c529e4. 2) Call the same function again with the exact same payload/signature. 3) Because no nonce/used-hash is stored, the signature check passes every time and the contract re-executes the underlying CALL, transferring ETH/tokens repeatedly until the balance is exhausted.","recommendation":"Include a nonce or transaction-hash replay protection in storage (e.g., incrementing nonce or mapping used hashes) and verify it as part of the signed message before executing.","evidence":"Signature verification uses ecrecover via precompile call (PUSH1 0x01 then CALL at 0x07c6–0x0809) after hashing with the Ethereum Signed Message prefix (0x36e includes 0x19457468... at 0x0434). Execution path (0x04d3) calls the signature check (jump to 0x0218 at 0x0533–0x0537) and then performs the external CALL (0x05fd). There is no SSTORE in the execution path; the only runtime SSTORE is at 0x074d (controller update), so no nonce/used-hash is ever recorded.","locations":["runtime_bytecode.hex:0x04d3","runtime_bytecode.hex:0x0218","runtime_bytecode.hex:0x036e","runtime_bytecode.hex:0x07c6","runtime_bytecode.hex:0x0809","runtime_bytecode.hex:0x074d"]}]}
[codex:390577] tokens used
[codex:390577] 78,759
[codex:390577] {"no_findings":false,"summary":"Signature-based execution is replayable: the contract verifies signatures but never stores/consumes a nonce or hash, so any valid signed transaction can be executed repeatedly to drain funds if you can obtain one payout signature.","findings":[{"severity":"high","category":"auth","title":"Replayable signed transactions (no nonce/used-hash tracking) allow repeated withdrawals","exploit_scenario":"1) Observe or obtain a valid signed transaction payload (e.g., a one-time payout to your address) used with selector 0x62c529e4. 2) Call the same function again with the exact same payload/signature. 3) Because no nonce/used-hash is stored, the signature check passes every time and the contract re-executes the underlying CALL, transferring ETH/tokens repeatedly until the balance is exhausted.","recommendation":"Include a nonce or transaction-hash replay protection in storage (e.g., incrementing nonce or mapping used hashes) and verify it as part of the signed message before executing.","evidence":"Signature verification uses ecrecover via precompile call (PUSH1 0x01 then CALL at 0x07c6–0x0809) after hashing with the Ethereum Signed Message prefix (0x36e includes 0x19457468... at 0x0434). Execution path (0x04d3) calls the signature check (jump to 0x0218 at 0x0533–0x0537) and then performs the external CALL (0x05fd). There is no SSTORE in the execution path; the only runtime SSTORE is at 0x074d (controller update), so no nonce/used-hash is ever recorded.","locations":["runtime_bytecode.hex:0x04d3","runtime_bytecode.hex:0x0218","runtime_bytecode.hex:0x036e","runtime_bytecode.hex:0x07c6","runtime_bytecode.hex:0x0809","runtime_bytecode.hex:0x074d"]}]}
{
"codex": {
"ran_at": "2026-01-01T14:24:04.680961+00:00",
"returncode": 0
},
"summary": "Signature-based execution is replayable: the contract verifies signatures but never stores/consumes a nonce or hash, so any valid signed transaction can be executed repeatedly to drain funds if you can obtain one payout signature.",
"raw_final": {
"summary": "Signature-based execution is replayable: the contract verifies signatures but never stores/consumes a nonce or hash, so any valid signed transaction can be executed repeatedly to drain funds if you can obtain one payout signature.",
"findings": [
{
"title": "Replayable signed transactions (no nonce/used-hash tracking) allow repeated withdrawals",
"category": "auth",
"evidence": "Signature verification uses ecrecover via precompile call (PUSH1 0x01 then CALL at 0x07c6\u20130x0809) after hashing with the Ethereum Signed Message prefix (0x36e includes 0x19457468... at 0x0434). Execution path (0x04d3) calls the signature check (jump to 0x0218 at 0x0533\u20130x0537) and then performs the external CALL (0x05fd). There is no SSTORE in the execution path; the only runtime SSTORE is at 0x074d (controller update), so no nonce/used-hash is ever recorded.",
"severity": "high",
"locations": [
"runtime_bytecode.hex:0x04d3",
"runtime_bytecode.hex:0x0218",
"runtime_bytecode.hex:0x036e",
"runtime_bytecode.hex:0x07c6",
"runtime_bytecode.hex:0x0809",
"runtime_bytecode.hex:0x074d"
],
"recommendation": "Include a nonce or transaction-hash replay protection in storage (e.g., incrementing nonce or mapping used hashes) and verify it as part of the signed message before executing.",
"exploit_scenario": "1) Observe or obtain a valid signed transaction payload (e.g., a one-time payout to your address) used with selector 0x62c529e4. 2) Call the same function again with the exact same payload/signature. 3) Because no nonce/used-hash is stored, the signature check passes every time and the contract re-executes the underlying CALL, transferring ETH/tokens repeatedly until the balance is exhausted."
}
],
"no_findings": false
},
"no_findings": false,
"schema_version": 1
}
00000000: PUSH1 0x80 00000002: PUSH1 0x40 00000004: MSTORE 00000005: PUSH1 0x04 00000007: CALLDATASIZE 00000008: LT 00000009: PUSH2 0x008e 0000000c: JUMPI 0000000d: PUSH1 0x00 0000000f: CALLDATALOAD 00000010: PUSH29 0x0100000000000000000000000000000000000000000000000000000000 0000002e: SWAP1 0000002f: DIV 00000030: PUSH4 0xffffffff 00000035: AND 00000036: DUP1 00000037: PUSH4 0x049e1d4d 0000003c: EQ 0000003d: PUSH2 0x0090 00000040: JUMPI 00000041: DUP1 00000042: PUSH4 0x10bfce71 00000047: EQ 00000048: PUSH2 0x00cd 0000004b: JUMPI 0000004c: DUP1 0000004d: PUSH4 0x3018205f 00000052: EQ 00000053: PUSH2 0x00f6 00000056: JUMPI 00000057: DUP1 00000058: PUSH4 0x4ee7f87d 0000005d: EQ 0000005e: PUSH2 0x0121 00000061: JUMPI 00000062: DUP1 00000063: PUSH4 0x62c529e4 00000068: EQ 00000069: PUSH2 0x015e 0000006c: JUMPI 0000006d: DUP1 0000006e: PUSH4 0x92eefe9b 00000073: EQ 00000074: PUSH2 0x0187 00000077: JUMPI 00000078: DUP1 00000079: PUSH4 0xee8bd82d 0000007e: EQ 0000007f: PUSH2 0x01b0 00000082: JUMPI 00000083: DUP1 00000084: PUSH4 0xf77c4791 00000089: EQ 0000008a: PUSH2 0x01ed 0000008d: JUMPI 0000008e: JUMPDEST 0000008f: STOP 00000090: JUMPDEST 00000091: CALLVALUE 00000092: DUP1 00000093: ISZERO 00000094: PUSH2 0x009c 00000097: JUMPI 00000098: PUSH1 0x00 0000009a: DUP1 0000009b: REVERT 0000009c: JUMPDEST 0000009d: POP 0000009e: PUSH2 0x00b7 000000a1: PUSH1 0x04 000000a3: DUP1 000000a4: CALLDATASIZE 000000a5: SUB 000000a6: PUSH2 0x00b2 000000a9: SWAP2 000000aa: SWAP1 000000ab: DUP2 000000ac: ADD 000000ad: SWAP1 000000ae: PUSH2 0x0cfb 000000b1: JUMP 000000b2: JUMPDEST 000000b3: PUSH2 0x0218 000000b6: JUMP 000000b7: JUMPDEST 000000b8: PUSH1 0x40 000000ba: MLOAD 000000bb: PUSH2 0x00c4 000000be: SWAP2 000000bf: SWAP1 000000c0: PUSH2 0x0e76 000000c3: JUMP 000000c4: JUMPDEST 000000c5: PUSH1 0x40 000000c7: MLOAD 000000c8: DUP1 000000c9: SWAP2 000000ca: SUB 000000cb: SWAP1 000000cc: RETURN 000000cd: JUMPDEST 000000ce: CALLVALUE 000000cf: DUP1 000000d0: ISZERO 000000d1: PUSH2 0x00d9 000000d4: JUMPI 000000d5: PUSH1 0x00 000000d7: DUP1 000000d8: REVERT 000000d9: JUMPDEST 000000da: POP 000000db: PUSH2 0x00f4 000000de: PUSH1 0x04 000000e0: DUP1 000000e1: CALLDATASIZE 000000e2: SUB 000000e3: PUSH2 0x00ef 000000e6: SWAP2 000000e7: SWAP1 000000e8: DUP2 000000e9: ADD 000000ea: SWAP1 000000eb: PUSH2 0x0c7e 000000ee: JUMP 000000ef: JUMPDEST 000000f0: PUSH2 0x02ff 000000f3: JUMP 000000f4: JUMPDEST 000000f5: STOP 000000f6: JUMPDEST 000000f7: CALLVALUE 000000f8: DUP1 000000f9: ISZERO 000000fa: PUSH2 0x0102 000000fd: JUMPI 000000fe: PUSH1 0x00 00000100: DUP1 00000101: REVERT 00000102: JUMPDEST 00000103: POP 00000104: PUSH2 0x010b 00000107: PUSH2 0x0345 0000010a: JUMP 0000010b: JUMPDEST 0000010c: PUSH1 0x40 0000010e: MLOAD 0000010f: PUSH2 0x0118 00000112: SWAP2 00000113: SWAP1 00000114: PUSH2 0x0e32 00000117: JUMP 00000118: JUMPDEST 00000119: PUSH1 0x40 0000011b: MLOAD 0000011c: DUP1 0000011d: SWAP2 0000011e: SUB 0000011f: SWAP1 00000120: RETURN 00000121: JUMPDEST 00000122: CALLVALUE 00000123: DUP1 00000124: ISZERO 00000125: PUSH2 0x012d 00000128: JUMPI 00000129: PUSH1 0x00 0000012b: DUP1 0000012c: REVERT 0000012d: JUMPDEST 0000012e: POP 0000012f: PUSH2 0x0148 00000132: PUSH1 0x04 00000134: DUP1 00000135: CALLDATASIZE 00000136: SUB 00000137: PUSH2 0x0143 0000013a: SWAP2 0000013b: SWAP1 0000013c: DUP2 0000013d: ADD 0000013e: SWAP1 0000013f: PUSH2 0x0c17 00000142: JUMP 00000143: JUMPDEST 00000144: PUSH2 0x036e 00000147: JUMP 00000148: JUMPDEST 00000149: PUSH1 0x40 0000014b: MLOAD 0000014c: PUSH2 0x0155 0000014f: SWAP2 00000150: SWAP1 00000151: PUSH2 0x0e91 00000154: JUMP 00000155: JUMPDEST 00000156: PUSH1 0x40 00000158: MLOAD 00000159: DUP1 0000015a: SWAP2 0000015b: SUB 0000015c: SWAP1 0000015d: RETURN 0000015e: JUMPDEST 0000015f: CALLVALUE 00000160: DUP1 00000161: ISZERO 00000162: PUSH2 0x016a 00000165: JUMPI 00000166: PUSH1 0x00 00000168: DUP1 00000169: REVERT 0000016a: JUMPDEST 0000016b: POP 0000016c: PUSH2 0x0185 0000016f: PUSH1 0x04 00000171: DUP1 00000172: CALLDATASIZE 00000173: SUB 00000174: PUSH2 0x0180 00000177: SWAP2 00000178: SWAP1 00000179: DUP2 0000017a: ADD 0000017b: SWAP1 0000017c: PUSH2 0x0cfb 0000017f: JUMP 00000180: JUMPDEST 00000181: PUSH2 0x04d3 00000184: JUMP 00000185: JUMPDEST 00000186: STOP 00000187: JUMPDEST 00000188: CALLVALUE 00000189: DUP1 0000018a: ISZERO 0000018b: PUSH2 0x0193 0000018e: JUMPI 0000018f: PUSH1 0x00 00000191: DUP1 00000192: REVERT 00000193: JUMPDEST 00000194: POP 00000195: PUSH2 0x01ae 00000198: PUSH1 0x04 0000019a: DUP1 0000019b: CALLDATASIZE 0000019c: SUB 0000019d: PUSH2 0x01a9 000001a0: SWAP2 000001a1: SWAP1 000001a2: DUP2 000001a3: ADD 000001a4: SWAP1 000001a5: PUSH2 0x0bee 000001a8: JUMP 000001a9: JUMPDEST 000001aa: PUSH2 0x0682 000001ad: JUMP 000001ae: JUMPDEST 000001af: STOP 000001b0: JUMPDEST 000001b1: CALLVALUE 000001b2: DUP1 000001b3: ISZERO 000001b4: PUSH2 0x01bc 000001b7: JUMPI 000001b8: PUSH1 0x00 000001ba: DUP1 000001bb: REVERT 000001bc: JUMPDEST 000001bd: POP 000001be: PUSH2 0x01d7 000001c1: PUSH1 0x04 000001c3: DUP1 000001c4: CALLDATASIZE 000001c5: SUB 000001c6: PUSH2 0x01d2 000001c9: SWAP2 000001ca: SWAP1 000001cb: DUP2 000001cc: ADD 000001cd: SWAP1 000001ce: PUSH2 0x0cbf 000001d1: JUMP 000001d2: JUMPDEST 000001d3: PUSH2 0x07c5 000001d6: JUMP 000001d7: JUMPDEST 000001d8: PUSH1 0x40 000001da: MLOAD 000001db: PUSH2 0x01e4 000001de: SWAP2 000001df: SWAP1 000001e0: PUSH2 0x0e32 000001e3: JUMP 000001e4: JUMPDEST 000001e5: PUSH1 0x40 000001e7: MLOAD 000001e8: DUP1 000001e9: SWAP2 000001ea: SUB 000001eb: SWAP1 000001ec: RETURN 000001ed: JUMPDEST 000001ee: CALLVALUE 000001ef: DUP1 000001f0: ISZERO 000001f1: PUSH2 0x01f9 000001f4: JUMPI 000001f5: PUSH1 0x00 000001f7: DUP1 000001f8: REVERT 000001f9: JUMPDEST 000001fa: POP 000001fb: PUSH2 0x0202 000001fe: PUSH2 0x082c 00000201: JUMP 00000202: JUMPDEST 00000203: PUSH1 0x40 00000205: MLOAD 00000206: PUSH2 0x020f 00000209: SWAP2 0000020a: SWAP1 0000020b: PUSH2 0x0e32 0000020e: JUMP 0000020f: JUMPDEST 00000210: PUSH1 0x40 00000212: MLOAD 00000213: DUP1 00000214: SWAP2 00000215: SUB 00000216: SWAP1 00000217: RETURN 00000218: JUMPDEST 00000219: PUSH1 0x00 0000021b: DUP1 0000021c: PUSH1 0x60 0000021e: PUSH1 0x00 00000220: DUP1 00000221: PUSH2 0x0228 00000224: PUSH2 0x0851 00000227: JUMP 00000228: JUMPDEST 00000229: PUSH1 0x00 0000022b: DUP1 0000022c: DUP9 0000022d: PUSH1 0x00 0000022f: ADD 00000230: MLOAD 00000231: SWAP7 00000232: POP 00000233: DUP9 00000234: PUSH1 0x20 00000236: ADD 00000237: MLOAD 00000238: SWAP6 00000239: POP 0000023a: DUP9 0000023b: PUSH1 0x40 0000023d: ADD 0000023e: MLOAD 0000023f: SWAP5 00000240: POP 00000241: DUP9 00000242: PUSH1 0x80 00000244: ADD 00000245: MLOAD 00000246: SWAP4 00000247: POP 00000248: DUP9 00000249: PUSH1 0x60 0000024b: ADD 0000024c: MLOAD 0000024d: SWAP3 0000024e: POP 0000024f: PUSH1 0x00 00000251: DUP1 00000252: SWAP1 00000253: SLOAD 00000254: SWAP1 00000255: PUSH2 0x0100 00000258: EXP 00000259: SWAP1 0000025a: DIV 0000025b: PUSH20 0xffffffffffffffffffffffffffffffffffffffff 00000270: AND 00000271: PUSH20 0xffffffffffffffffffffffffffffffffffffffff 00000286: AND 00000287: DUP5 00000288: PUSH20 0xffffffffffffffffffffffffffffffffffffffff 0000029d: AND 0000029e: EQ 0000029f: ISZERO 000002a0: ISZERO 000002a1: PUSH2 0x02a9 000002a4: JUMPI 000002a5: PUSH1 0x00 000002a7: DUP1 000002a8: REVERT 000002a9: JUMPDEST 000002aa: PUSH2 0x02b4 000002ad: DUP8 000002ae: DUP8 000002af: DUP8 000002b0: PUSH2 0x036e 000002b3: JUMP 000002b4: JUMPDEST 000002b5: SWAP2 000002b6: POP 000002b7: PUSH2 0x02c0 000002ba: DUP3 000002bb: DUP5 000002bc: PUSH2 0x07c5 000002bf: JUMP 000002c0: JUMPDEST 000002c1: SWAP1 000002c2: POP 000002c3: DUP4 000002c4: PUSH20 0xffffffffffffffffffffffffffffffffffffffff 000002d9: AND 000002da: DUP2 000002db: PUSH20 0xffffffffffffffffffffffffffffffffffffffff 000002f0: AND 000002f1: EQ 000002f2: SWAP8 000002f3: POP 000002f4: POP 000002f5: POP 000002f6: POP 000002f7: POP 000002f8: POP 000002f9: POP 000002fa: POP 000002fb: SWAP2 000002fc: SWAP1 000002fd: POP 000002fe: JUMP 000002ff: JUMPDEST 00000300: PUSH1 0x00 00000302: DUP1 00000303: SWAP1 00000304: POP 00000305: JUMPDEST 00000306: DUP2 00000307: MLOAD 00000308: DUP2 00000309: PUSH1 0xff 0000030b: AND 0000030c: LT 0000030d: ISZERO 0000030e: PUSH2 0x0341 00000311: JUMPI 00000312: PUSH2 0x0334 00000315: DUP3 00000316: DUP3 00000317: PUSH1 0xff 00000319: AND 0000031a: DUP2 0000031b: MLOAD 0000031c: DUP2 0000031d: LT 0000031e: ISZERO 0000031f: ISZERO 00000320: PUSH2 0x0325 00000323: JUMPI 00000324: INVALID 00000325: JUMPDEST 00000326: SWAP1 00000327: PUSH1 0x20 00000329: ADD 0000032a: SWAP1 0000032b: PUSH1 0x20 0000032d: MUL 0000032e: ADD 0000032f: MLOAD 00000330: PUSH2 0x04d3 00000333: JUMP 00000334: JUMPDEST 00000335: DUP1 00000336: DUP1 00000337: PUSH1 0x01 00000339: ADD 0000033a: SWAP2 0000033b: POP 0000033c: POP 0000033d: PUSH2 0x0305 00000340: JUMP 00000341: JUMPDEST 00000342: POP 00000343: POP 00000344: JUMP 00000345: JUMPDEST 00000346: PUSH1 0x00 00000348: DUP1 00000349: PUSH1 0x00 0000034b: SWAP1 0000034c: SLOAD 0000034d: SWAP1 0000034e: PUSH2 0x0100 00000351: EXP 00000352: SWAP1 00000353: DIV 00000354: PUSH20 0xffffffffffffffffffffffffffffffffffffffff 00000369: AND 0000036a: SWAP1 0000036b: POP 0000036c: SWAP1 0000036d: JUMP 0000036e: JUMPDEST 0000036f: PUSH1 0x00 00000371: DUP1 00000372: DUP5 00000373: DUP5 00000374: DUP5 00000375: PUSH1 0x40 00000377: MLOAD 00000378: DUP1 00000379: DUP5 0000037a: PUSH20 0xffffffffffffffffffffffffffffffffffffffff 0000038f: AND 00000390: PUSH20 0xffffffffffffffffffffffffffffffffffffffff 000003a5: AND 000003a6: PUSH13 0x01000000000000000000000000 000003b4: MUL 000003b5: DUP2 000003b6: MSTORE 000003b7: PUSH1 0x14 000003b9: ADD 000003ba: DUP4 000003bb: DUP1 000003bc: MLOAD 000003bd: SWAP1 000003be: PUSH1 0x20 000003c0: ADD 000003c1: SWAP1 000003c2: DUP1 000003c3: DUP4 000003c4: DUP4 000003c5: JUMPDEST 000003c6: PUSH1 0x20 000003c8: DUP4 000003c9: LT 000003ca: ISZERO 000003cb: ISZERO 000003cc: PUSH2 0x03ea 000003cf: JUMPI 000003d0: DUP1 000003d1: MLOAD 000003d2: DUP3 000003d3: MSTORE 000003d4: PUSH1 0x20 000003d6: DUP3 000003d7: ADD 000003d8: SWAP2 000003d9: POP 000003da: PUSH1 0x20 000003dc: DUP2 000003dd: ADD 000003de: SWAP1 000003df: POP 000003e0: PUSH1 0x20 000003e2: DUP4 000003e3: SUB 000003e4: SWAP3 000003e5: POP 000003e6: PUSH2 0x03c5 000003e9: JUMP 000003ea: JUMPDEST 000003eb: PUSH1 0x01 000003ed: DUP4 000003ee: PUSH1 0x20 000003f0: SUB 000003f1: PUSH2 0x0100 000003f4: EXP 000003f5: SUB 000003f6: DUP1 000003f7: NOT 000003f8: DUP3 000003f9: MLOAD 000003fa: AND 000003fb: DUP2 000003fc: DUP5 000003fd: MLOAD 000003fe: AND 000003ff: DUP1 00000400: DUP3 00000401: OR 00000402: DUP6 00000403: MSTORE 00000404: POP 00000405: POP 00000406: POP 00000407: POP 00000408: POP 00000409: POP 0000040a: SWAP1 0000040b: POP 0000040c: ADD 0000040d: DUP3 0000040e: DUP2 0000040f: MSTORE 00000410: PUSH1 0x20 00000412: ADD 00000413: SWAP4 00000414: POP 00000415: POP 00000416: POP 00000417: POP 00000418: PUSH1 0x40 0000041a: MLOAD 0000041b: DUP1 0000041c: SWAP2 0000041d: SUB 0000041e: SWAP1 0000041f: KECCAK256 00000420: SWAP1 00000421: POP 00000422: PUSH1 0x40 00000424: DUP1 00000425: MLOAD 00000426: SWAP1 00000427: DUP2 00000428: ADD 00000429: PUSH1 0x40 0000042b: MSTORE 0000042c: DUP1 0000042d: PUSH1 0x1c 0000042f: DUP2 00000430: MSTORE 00000431: PUSH1 0x20 00000433: ADD 00000434: PUSH32 0x19457468657265756d205369676e6564204d6573736167653a0a333200000000 00000455: DUP2 00000456: MSTORE 00000457: POP 00000458: DUP2 00000459: PUSH1 0x40 0000045b: MLOAD 0000045c: DUP1 0000045d: DUP4 0000045e: DUP1 0000045f: MLOAD 00000460: SWAP1 00000461: PUSH1 0x20 00000463: ADD 00000464: SWAP1 00000465: DUP1 00000466: DUP4 00000467: DUP4 00000468: JUMPDEST 00000469: PUSH1 0x20 0000046b: DUP4 0000046c: LT 0000046d: ISZERO 0000046e: ISZERO 0000046f: PUSH2 0x048d 00000472: JUMPI 00000473: DUP1 00000474: MLOAD 00000475: DUP3 00000476: MSTORE 00000477: PUSH1 0x20 00000479: DUP3 0000047a: ADD 0000047b: SWAP2 0000047c: POP 0000047d: PUSH1 0x20 0000047f: DUP2 00000480: ADD 00000481: SWAP1 00000482: POP 00000483: PUSH1 0x20 00000485: DUP4 00000486: SUB 00000487: SWAP3 00000488: POP 00000489: PUSH2 0x0468 0000048c: JUMP 0000048d: JUMPDEST 0000048e: PUSH1 0x01 00000490: DUP4 00000491: PUSH1 0x20 00000493: SUB 00000494: PUSH2 0x0100 00000497: EXP 00000498: SUB 00000499: DUP1 0000049a: NOT 0000049b: DUP3 0000049c: MLOAD 0000049d: AND 0000049e: DUP2 0000049f: DUP5 000004a0: MLOAD 000004a1: AND 000004a2: DUP1 000004a3: DUP3 000004a4: OR 000004a5: DUP6 000004a6: MSTORE 000004a7: POP 000004a8: POP 000004a9: POP 000004aa: POP 000004ab: POP 000004ac: POP 000004ad: SWAP1 000004ae: POP 000004af: ADD 000004b0: DUP3 000004b1: PUSH1 0x00 000004b3: NOT 000004b4: AND 000004b5: PUSH1 0x00 000004b7: NOT 000004b8: AND 000004b9: DUP2 000004ba: MSTORE 000004bb: PUSH1 0x20 000004bd: ADD 000004be: SWAP3 000004bf: POP 000004c0: POP 000004c1: POP 000004c2: PUSH1 0x40 000004c4: MLOAD 000004c5: DUP1 000004c6: SWAP2 000004c7: SUB 000004c8: SWAP1 000004c9: KECCAK256 000004ca: SWAP2 000004cb: POP 000004cc: POP 000004cd: SWAP4 000004ce: SWAP3 000004cf: POP 000004d0: POP 000004d1: POP 000004d2: JUMP 000004d3: JUMPDEST 000004d4: PUSH1 0x00 000004d6: PUSH1 0x60 000004d8: PUSH1 0x00 000004da: DUP1 000004db: DUP5 000004dc: PUSH1 0x00 000004de: ADD 000004df: MLOAD 000004e0: SWAP4 000004e1: POP 000004e2: DUP5 000004e3: PUSH1 0x20 000004e5: ADD 000004e6: MLOAD 000004e7: SWAP3 000004e8: POP 000004e9: DUP5 000004ea: PUSH1 0x40 000004ec: ADD 000004ed: MLOAD 000004ee: SWAP2 000004ef: POP 000004f0: DUP5 000004f1: PUSH1 0x80 000004f3: ADD 000004f4: MLOAD 000004f5: SWAP1 000004f6: POP 000004f7: PUSH32 0x74d34c6fe876d2d910521ea7c31bdea6530879732d5e8fa3781ce25171fa1760 00000518: DUP5 00000519: DUP3 0000051a: PUSH1 0x40 0000051c: MLOAD 0000051d: PUSH2 0x0527 00000520: SWAP3 00000521: SWAP2 00000522: SWAP1 00000523: PUSH2 0x0e4d 00000526: JUMP 00000527: JUMPDEST 00000528: PUSH1 0x40 0000052a: MLOAD 0000052b: DUP1 0000052c: SWAP2 0000052d: SUB 0000052e: SWAP1 0000052f: LOG1 00000530: PUSH2 0x0538 00000533: DUP6 00000534: PUSH2 0x0218 00000537: JUMP 00000538: JUMPDEST 00000539: ISZERO 0000053a: ISZERO 0000053b: PUSH2 0x0579 0000053e: JUMPI 0000053f: PUSH1 0x40 00000541: MLOAD 00000542: PUSH32 0x08c379a000000000000000000000000000000000000000000000000000000000 00000563: DUP2 00000564: MSTORE 00000565: PUSH1 0x04 00000567: ADD 00000568: PUSH2 0x0570 0000056b: SWAP1 0000056c: PUSH2 0x0ef1 0000056f: JUMP 00000570: JUMPDEST 00000571: PUSH1 0x40 00000573: MLOAD 00000574: DUP1 00000575: SWAP2 00000576: SUB 00000577: SWAP1 00000578: REVERT 00000579: JUMPDEST 0000057a: DUP4 0000057b: PUSH20 0xffffffffffffffffffffffffffffffffffffffff 00000590: AND 00000591: DUP3 00000592: DUP5 00000593: PUSH1 0x40 00000595: MLOAD 00000596: DUP1 00000597: DUP3 00000598: DUP1 00000599: MLOAD 0000059a: SWAP1 0000059b: PUSH1 0x20 0000059d: ADD 0000059e: SWAP1 0000059f: DUP1 000005a0: DUP4 000005a1: DUP4 000005a2: PUSH1 0x00 000005a4: JUMPDEST 000005a5: DUP4 000005a6: DUP2 000005a7: LT 000005a8: ISZERO 000005a9: PUSH2 0x05bf 000005ac: JUMPI 000005ad: DUP1 000005ae: DUP3 000005af: ADD 000005b0: MLOAD 000005b1: DUP2 000005b2: DUP5 000005b3: ADD 000005b4: MSTORE 000005b5: PUSH1 0x20 000005b7: DUP2 000005b8: ADD 000005b9: SWAP1 000005ba: POP 000005bb: PUSH2 0x05a4 000005be: JUMP 000005bf: JUMPDEST 000005c0: POP 000005c1: POP 000005c2: POP 000005c3: POP 000005c4: SWAP1 000005c5: POP 000005c6: SWAP1 000005c7: DUP2 000005c8: ADD 000005c9: SWAP1 000005ca: PUSH1 0x1f 000005cc: AND 000005cd: DUP1 000005ce: ISZERO 000005cf: PUSH2 0x05ec 000005d2: JUMPI 000005d3: DUP1 000005d4: DUP3 000005d5: SUB 000005d6: DUP1 000005d7: MLOAD 000005d8: PUSH1 0x01 000005da: DUP4 000005db: PUSH1 0x20 000005dd: SUB 000005de: PUSH2 0x0100 000005e1: EXP 000005e2: SUB 000005e3: NOT 000005e4: AND 000005e5: DUP2 000005e6: MSTORE 000005e7: PUSH1 0x20 000005e9: ADD 000005ea: SWAP2 000005eb: POP 000005ec: JUMPDEST 000005ed: POP 000005ee: SWAP2 000005ef: POP 000005f0: POP 000005f1: PUSH1 0x00 000005f3: PUSH1 0x40 000005f5: MLOAD 000005f6: DUP1 000005f7: DUP4 000005f8: SUB 000005f9: DUP2 000005fa: DUP6 000005fb: DUP8 000005fc: GAS 000005fd: CALL 000005fe: SWAP3 000005ff: POP 00000600: POP 00000601: POP 00000602: ISZERO 00000603: ISZERO 00000604: PUSH2 0x0642 00000607: JUMPI 00000608: PUSH1 0x40 0000060a: MLOAD 0000060b: PUSH32 0x08c379a000000000000000000000000000000000000000000000000000000000 0000062c: DUP2 0000062d: MSTORE 0000062e: PUSH1 0x04 00000630: ADD 00000631: PUSH2 0x0639 00000634: SWAP1 00000635: PUSH2 0x0f11 00000638: JUMP 00000639: JUMPDEST 0000063a: PUSH1 0x40 0000063c: MLOAD 0000063d: DUP1 0000063e: SWAP2 0000063f: SUB 00000640: SWAP1 00000641: REVERT 00000642: JUMPDEST 00000643: PUSH32 0x9ae6eab77ab97680a0708bbb21af686ae24276636c6aa70f8a02f4cccd49499b 00000664: DUP5 00000665: DUP3 00000666: PUSH1 0x40 00000668: MLOAD 00000669: PUSH2 0x0673 0000066c: SWAP3 0000066d: SWAP2 0000066e: SWAP1 0000066f: PUSH2 0x0e4d 00000672: JUMP 00000673: JUMPDEST 00000674: PUSH1 0x40 00000676: MLOAD 00000677: DUP1 00000678: SWAP2 00000679: SUB 0000067a: SWAP1 0000067b: LOG1 0000067c: POP 0000067d: POP 0000067e: POP 0000067f: POP 00000680: POP 00000681: JUMP 00000682: JUMPDEST 00000683: PUSH32 0x4f7b0265dc15e282f56ae0820603286a6547460256b0fe068e6ed578cb3d8bb6 000006a4: DUP2 000006a5: PUSH1 0x40 000006a7: MLOAD 000006a8: PUSH2 0x06b1 000006ab: SWAP2 000006ac: SWAP1 000006ad: PUSH2 0x0e32 000006b0: JUMP 000006b1: JUMPDEST 000006b2: PUSH1 0x40 000006b4: MLOAD 000006b5: DUP1 000006b6: SWAP2 000006b7: SUB 000006b8: SWAP1 000006b9: LOG1 000006ba: PUSH1 0x00 000006bc: DUP1 000006bd: SWAP1 000006be: SLOAD 000006bf: SWAP1 000006c0: PUSH2 0x0100 000006c3: EXP 000006c4: SWAP1 000006c5: DIV 000006c6: PUSH20 0xffffffffffffffffffffffffffffffffffffffff 000006db: AND 000006dc: PUSH20 0xffffffffffffffffffffffffffffffffffffffff 000006f1: AND 000006f2: CALLER 000006f3: PUSH20 0xffffffffffffffffffffffffffffffffffffffff 00000708: AND 00000709: EQ 0000070a: ISZERO 0000070b: PUSH2 0x078a 0000070e: JUMPI 0000070f: DUP1 00000710: PUSH1 0x00 00000712: DUP1 00000713: PUSH2 0x0100 00000716: EXP 00000717: DUP2 00000718: SLOAD 00000719: DUP2 0000071a: PUSH20 0xffffffffffffffffffffffffffffffffffffffff 0000072f: MUL 00000730: NOT 00000731: AND 00000732: SWAP1 00000733: DUP4 00000734: PUSH20 0xffffffffffffffffffffffffffffffffffffffff 00000749: AND 0000074a: MUL 0000074b: OR 0000074c: SWAP1 0000074d: SSTORE 0000074e: POP 0000074f: PUSH32 0x5c4387c894a24bbdaab0ebb3e90d2d0f0d1900a6b4878e87c1fc3bfe75c1f0df 00000770: DUP2 00000771: PUSH1 0x40 00000773: MLOAD 00000774: PUSH2 0x077d 00000777: SWAP2 00000778: SWAP1 00000779: PUSH2 0x0e32 0000077c: JUMP 0000077d: JUMPDEST 0000077e: PUSH1 0x40 00000780: MLOAD 00000781: DUP1 00000782: SWAP2 00000783: SUB 00000784: SWAP1 00000785: LOG1 00000786: PUSH2 0x07c2 00000789: JUMP 0000078a: JUMPDEST 0000078b: PUSH32 0x6e7c18ac33fbdcd4f970e95dbb26c2f291e243f724c43b33c701f00f75826513 000007ac: DUP2 000007ad: PUSH1 0x40 000007af: MLOAD 000007b0: PUSH2 0x07b9 000007b3: SWAP2 000007b4: SWAP1 000007b5: PUSH2 0x0e32 000007b8: JUMP 000007b9: JUMPDEST 000007ba: PUSH1 0x40 000007bc: MLOAD 000007bd: DUP1 000007be: SWAP2 000007bf: SUB 000007c0: SWAP1 000007c1: LOG1 000007c2: JUMPDEST 000007c3: POP 000007c4: JUMP 000007c5: JUMPDEST 000007c6: PUSH1 0x00 000007c8: PUSH1 0x01 000007ca: DUP4 000007cb: DUP4 000007cc: PUSH1 0x00 000007ce: ADD 000007cf: MLOAD 000007d0: DUP5 000007d1: PUSH1 0x20 000007d3: ADD 000007d4: MLOAD 000007d5: DUP6 000007d6: PUSH1 0x40 000007d8: ADD 000007d9: MLOAD 000007da: PUSH1 0x40 000007dc: MLOAD 000007dd: PUSH1 0x00 000007df: DUP2 000007e0: MSTORE 000007e1: PUSH1 0x20 000007e3: ADD 000007e4: PUSH1 0x40 000007e6: MSTORE 000007e7: PUSH1 0x40 000007e9: MLOAD 000007ea: PUSH2 0x07f6 000007ed: SWAP5 000007ee: SWAP4 000007ef: SWAP3 000007f0: SWAP2 000007f1: SWAP1 000007f2: PUSH2 0x0eac 000007f5: JUMP 000007f6: JUMPDEST 000007f7: PUSH1 0x20 000007f9: PUSH1 0x40 000007fb: MLOAD 000007fc: PUSH1 0x20 000007fe: DUP2 000007ff: SUB 00000800: SWAP1 00000801: DUP1 00000802: DUP5 00000803: SUB 00000804: SWAP1 00000805: PUSH1 0x00 00000807: DUP7 00000808: GAS 00000809: CALL 0000080a: ISZERO 0000080b: DUP1 0000080c: ISZERO 0000080d: PUSH2 0x081a 00000810: JUMPI 00000811: RETURNDATASIZE 00000812: PUSH1 0x00 00000814: DUP1 00000815: RETURNDATACOPY 00000816: RETURNDATASIZE 00000817: PUSH1 0x00 00000819: REVERT 0000081a: JUMPDEST 0000081b: POP 0000081c: POP 0000081d: POP 0000081e: PUSH1 0x20 00000820: PUSH1 0x40 00000822: MLOAD 00000823: SUB 00000824: MLOAD 00000825: SWAP1 00000826: POP 00000827: SWAP3 00000828: SWAP2 00000829: POP 0000082a: POP 0000082b: JUMP 0000082c: JUMPDEST 0000082d: PUSH1 0x00 0000082f: DUP1 00000830: SWAP1 00000831: SLOAD 00000832: SWAP1 00000833: PUSH2 0x0100 00000836: EXP 00000837: SWAP1 00000838: DIV 00000839: PUSH20 0xffffffffffffffffffffffffffffffffffffffff 0000084e: AND 0000084f: DUP2 00000850: JUMP 00000851: JUMPDEST 00000852: PUSH1 0x60 00000854: PUSH1 0x40 00000856: MLOAD 00000857: SWAP1 00000858: DUP2 00000859: ADD 0000085a: PUSH1 0x40 0000085c: MSTORE 0000085d: DUP1 0000085e: PUSH1 0x00 00000860: PUSH1 0xff 00000862: AND 00000863: DUP2 00000864: MSTORE 00000865: PUSH1 0x20 00000867: ADD 00000868: PUSH1 0x00 0000086a: DUP1 0000086b: NOT 0000086c: AND 0000086d: DUP2 0000086e: MSTORE 0000086f: PUSH1 0x20 00000871: ADD 00000872: PUSH1 0x00 00000874: DUP1 00000875: NOT 00000876: AND 00000877: DUP2 00000878: MSTORE 00000879: POP 0000087a: SWAP1 0000087b: JUMP 0000087c: JUMPDEST 0000087d: PUSH1 0x00 0000087f: PUSH2 0x0888 00000882: DUP3 00000883: CALLDATALOAD 00000884: PUSH2 0x1021 00000887: JUMP 00000888: JUMPDEST 00000889: SWAP1 0000088a: POP 0000088b: SWAP3 0000088c: SWAP2 0000088d: POP 0000088e: POP 0000088f: JUMP 00000890: JUMPDEST 00000891: PUSH1 0x00 00000893: DUP3 00000894: PUSH1 0x1f 00000896: DUP4 00000897: ADD 00000898: SLT 00000899: ISZERO 0000089a: ISZERO 0000089b: PUSH2 0x08a3 0000089e: JUMPI 0000089f: PUSH1 0x00 000008a1: DUP1 000008a2: REVERT 000008a3: JUMPDEST 000008a4: DUP2 000008a5: CALLDATALOAD 000008a6: PUSH2 0x08b6 000008a9: PUSH2 0x08b1 000008ac: DUP3 000008ad: PUSH2 0x0f5e 000008b0: JUMP 000008b1: JUMPDEST 000008b2: PUSH2 0x0f31 000008b5: JUMP 000008b6: JUMPDEST 000008b7: SWAP2 000008b8: POP 000008b9: DUP2 000008ba: DUP2 000008bb: DUP4 000008bc: MSTORE 000008bd: PUSH1 0x20 000008bf: DUP5 000008c0: ADD 000008c1: SWAP4 000008c2: POP 000008c3: PUSH1 0x20 000008c5: DUP2 000008c6: ADD 000008c7: SWAP1 000008c8: POP 000008c9: DUP4 000008ca: PUSH1 0x00 000008cc: JUMPDEST 000008cd: DUP4 000008ce: DUP2 000008cf: LT 000008d0: ISZERO 000008d1: PUSH2 0x08fc 000008d4: JUMPI 000008d5: DUP2 000008d6: CALLDATALOAD 000008d7: DUP7 000008d8: ADD 000008d9: PUSH2 0x08e2 000008dc: DUP9 000008dd: DUP3 000008de: PUSH2 0x0a86 000008e1: JUMP 000008e2: JUMPDEST 000008e3: DUP5 000008e4: MSTORE 000008e5: PUSH1 0x20 000008e7: DUP5 000008e8: ADD 000008e9: SWAP4 000008ea: POP 000008eb: PUSH1 0x20 000008ed: DUP4 000008ee: ADD 000008ef: SWAP3 000008f0: POP 000008f1: POP 000008f2: PUSH1 0x01 000008f4: DUP2 000008f5: ADD 000008f6: SWAP1 000008f7: POP 000008f8: PUSH2 0x08cc 000008fb: JUMP 000008fc: JUMPDEST 000008fd: POP 000008fe: POP 000008ff: POP 00000900: POP 00000901: SWAP3 00000902: SWAP2 00000903: POP 00000904: POP 00000905: JUMP 00000906: JUMPDEST 00000907: PUSH1 0x00 00000909: PUSH2 0x0912 0000090c: DUP3 0000090d: CALLDATALOAD 0000090e: PUSH2 0x1041 00000911: JUMP 00000912: JUMPDEST 00000913: SWAP1 00000914: POP 00000915: SWAP3 00000916: SWAP2 00000917: POP 00000918: POP 00000919: JUMP 0000091a: JUMPDEST 0000091b: PUSH1 0x00 0000091d: DUP3 0000091e: PUSH1 0x1f 00000920: DUP4 00000921: ADD 00000922: SLT 00000923: ISZERO 00000924: ISZERO 00000925: PUSH2 0x092d 00000928: JUMPI 00000929: PUSH1 0x00 0000092b: DUP1 0000092c: REVERT 0000092d: JUMPDEST 0000092e: DUP2 0000092f: CALLDATALOAD 00000930: PUSH2 0x0940 00000933: PUSH2 0x093b 00000936: DUP3 00000937: PUSH2 0x0f86 0000093a: JUMP 0000093b: JUMPDEST 0000093c: PUSH2 0x0f31 0000093f: JUMP 00000940: JUMPDEST 00000941: SWAP2 00000942: POP 00000943: DUP1 00000944: DUP3 00000945: MSTORE 00000946: PUSH1 0x20 00000948: DUP4 00000949: ADD 0000094a: PUSH1 0x20 0000094c: DUP4 0000094d: ADD 0000094e: DUP6 0000094f: DUP4 00000950: DUP4 00000951: ADD 00000952: GT 00000953: ISZERO 00000954: PUSH2 0x095c 00000957: JUMPI 00000958: PUSH1 0x00 0000095a: DUP1 0000095b: REVERT 0000095c: JUMPDEST 0000095d: PUSH2 0x0967 00000960: DUP4 00000961: DUP3 00000962: DUP5 00000963: PUSH2 0x1062 00000966: JUMP 00000967: JUMPDEST 00000968: POP 00000969: POP 0000096a: POP 0000096b: SWAP3 0000096c: SWAP2 0000096d: POP 0000096e: POP 0000096f: JUMP 00000970: JUMPDEST 00000971: PUSH1 0x00 00000973: DUP3 00000974: PUSH1 0x1f 00000976: DUP4 00000977: ADD 00000978: SLT 00000979: ISZERO 0000097a: ISZERO 0000097b: PUSH2 0x0983 0000097e: JUMPI 0000097f: PUSH1 0x00 00000981: DUP1 00000982: REVERT 00000983: JUMPDEST 00000984: DUP2 00000985: CALLDATALOAD 00000986: PUSH2 0x0996 00000989: PUSH2 0x0991 0000098c: DUP3 0000098d: PUSH2 0x0fb2 00000990: JUMP 00000991: JUMPDEST 00000992: PUSH2 0x0f31 00000995: JUMP 00000996: JUMPDEST 00000997: SWAP2 00000998: POP 00000999: DUP1 0000099a: DUP3 0000099b: MSTORE 0000099c: PUSH1 0x20 0000099e: DUP4 0000099f: ADD 000009a0: PUSH1 0x20 000009a2: DUP4 000009a3: ADD 000009a4: DUP6 000009a5: DUP4 000009a6: DUP4 000009a7: ADD 000009a8: GT 000009a9: ISZERO 000009aa: PUSH2 0x09b2 000009ad: JUMPI 000009ae: PUSH1 0x00 000009b0: DUP1 000009b1: REVERT 000009b2: JUMPDEST 000009b3: PUSH2 0x09bd 000009b6: DUP4 000009b7: DUP3 000009b8: DUP5 000009b9: PUSH2 0x1062 000009bc: JUMP 000009bd: JUMPDEST 000009be: POP 000009bf: POP 000009c0: POP 000009c1: SWAP3 000009c2: SWAP2 000009c3: POP 000009c4: POP 000009c5: JUMP 000009c6: JUMPDEST 000009c7: PUSH1 0x00 000009c9: PUSH1 0x60 000009cb: DUP3 000009cc: DUP5 000009cd: SUB 000009ce: SLT 000009cf: ISZERO 000009d0: PUSH2 0x09d8 000009d3: JUMPI 000009d4: PUSH1 0x00 000009d6: DUP1 000009d7: REVERT 000009d8: JUMPDEST 000009d9: PUSH2 0x09e2 000009dc: PUSH1 0x60 000009de: PUSH2 0x0f31 000009e1: JUMP 000009e2: JUMPDEST 000009e3: SWAP1 000009e4: POP 000009e5: PUSH1 0x00 000009e7: PUSH2 0x09f2 000009ea: DUP5 000009eb: DUP3 000009ec: DUP6 000009ed: ADD 000009ee: PUSH2 0x0bda 000009f1: JUMP 000009f2: JUMPDEST 000009f3: PUSH1 0x00 000009f5: DUP4 000009f6: ADD 000009f7: MSTORE 000009f8: POP 000009f9: PUSH1 0x20 000009fb: PUSH2 0x0a06 000009fe: DUP5 000009ff: DUP3 00000a00: DUP6 00000a01: ADD 00000a02: PUSH2 0x0906 00000a05: JUMP 00000a06: JUMPDEST 00000a07: PUSH1 0x20 00000a09: DUP4 00000a0a: ADD 00000a0b: MSTORE 00000a0c: POP 00000a0d: PUSH1 0x40 00000a0f: PUSH2 0x0a1a 00000a12: DUP5 00000a13: DUP3 00000a14: DUP6 00000a15: ADD 00000a16: PUSH2 0x0906 00000a19: JUMP 00000a1a: JUMPDEST 00000a1b: PUSH1 0x40 00000a1d: DUP4 00000a1e: ADD 00000a1f: MSTORE 00000a20: POP 00000a21: SWAP3 00000a22: SWAP2 00000a23: POP 00000a24: POP 00000a25: JUMP 00000a26: JUMPDEST 00000a27: PUSH1 0x00 00000a29: PUSH1 0x60 00000a2b: DUP3 00000a2c: DUP5 00000a2d: SUB 00000a2e: SLT 00000a2f: ISZERO 00000a30: PUSH2 0x0a38 00000a33: JUMPI 00000a34: PUSH1 0x00 00000a36: DUP1 00000a37: REVERT 00000a38: JUMPDEST 00000a39: PUSH2 0x0a42 00000a3c: PUSH1 0x60 00000a3e: PUSH2 0x0f31 00000a41: JUMP 00000a42: JUMPDEST 00000a43: SWAP1 00000a44: POP 00000a45: PUSH1 0x00 00000a47: PUSH2 0x0a52 00000a4a: DUP5 00000a4b: DUP3 00000a4c: DUP6 00000a4d: ADD 00000a4e: PUSH2 0x0bda 00000a51: JUMP 00000a52: JUMPDEST 00000a53: PUSH1 0x00 00000a55: DUP4 00000a56: ADD 00000a57: MSTORE 00000a58: POP 00000a59: PUSH1 0x20 00000a5b: PUSH2 0x0a66 00000a5e: DUP5 00000a5f: DUP3 00000a60: DUP6 00000a61: ADD 00000a62: PUSH2 0x0906 00000a65: JUMP 00000a66: JUMPDEST 00000a67: PUSH1 0x20 00000a69: DUP4 00000a6a: ADD 00000a6b: MSTORE 00000a6c: POP 00000a6d: PUSH1 0x40 00000a6f: PUSH2 0x0a7a 00000a72: DUP5 00000a73: DUP3 00000a74: DUP6 00000a75: ADD 00000a76: PUSH2 0x0906 00000a79: JUMP 00000a7a: JUMPDEST 00000a7b: PUSH1 0x40 00000a7d: DUP4 00000a7e: ADD 00000a7f: MSTORE 00000a80: POP 00000a81: SWAP3 00000a82: SWAP2 00000a83: POP 00000a84: POP 00000a85: JUMP 00000a86: JUMPDEST 00000a87: PUSH1 0x00 00000a89: PUSH1 0xe0 00000a8b: DUP3 00000a8c: DUP5 00000a8d: SUB 00000a8e: SLT 00000a8f: ISZERO 00000a90: PUSH2 0x0a98 00000a93: JUMPI 00000a94: PUSH1 0x00 00000a96: DUP1 00000a97: REVERT 00000a98: JUMPDEST 00000a99: PUSH2 0x0aa2 00000a9c: PUSH1 0xa0 00000a9e: PUSH2 0x0f31 00000aa1: JUMP 00000aa2: JUMPDEST 00000aa3: SWAP1 00000aa4: POP 00000aa5: PUSH1 0x00 00000aa7: PUSH2 0x0ab2 00000aaa: DUP5 00000aab: DUP3 00000aac: DUP6 00000aad: ADD 00000aae: PUSH2 0x087c 00000ab1: JUMP 00000ab2: JUMPDEST 00000ab3: PUSH1 0x00 00000ab5: DUP4 00000ab6: ADD 00000ab7: MSTORE 00000ab8: POP 00000ab9: PUSH1 0x20 00000abb: DUP3 00000abc: ADD 00000abd: CALLDATALOAD 00000abe: PUSH8 0xffffffffffffffff 00000ac7: DUP2 00000ac8: GT 00000ac9: ISZERO 00000aca: PUSH2 0x0ad2 00000acd: JUMPI 00000ace: PUSH1 0x00 00000ad0: DUP1 00000ad1: REVERT 00000ad2: JUMPDEST 00000ad3: PUSH2 0x0ade 00000ad6: DUP5 00000ad7: DUP3 00000ad8: DUP6 00000ad9: ADD 00000ada: PUSH2 0x091a 00000add: JUMP 00000ade: JUMPDEST 00000adf: PUSH1 0x20 00000ae1: DUP4 00000ae2: ADD 00000ae3: MSTORE 00000ae4: POP 00000ae5: PUSH1 0x40 00000ae7: PUSH2 0x0af2 00000aea: DUP5 00000aeb: DUP3 00000aec: DUP6 00000aed: ADD 00000aee: PUSH2 0x0bc6 00000af1: JUMP 00000af2: JUMPDEST 00000af3: PUSH1 0x40 00000af5: DUP4 00000af6: ADD 00000af7: MSTORE 00000af8: POP 00000af9: PUSH1 0x60 00000afb: PUSH2 0x0b06 00000afe: DUP5 00000aff: DUP3 00000b00: DUP6 00000b01: ADD 00000b02: PUSH2 0x09c6 00000b05: JUMP 00000b06: JUMPDEST 00000b07: PUSH1 0x60 00000b09: DUP4 00000b0a: ADD 00000b0b: MSTORE 00000b0c: POP 00000b0d: PUSH1 0xc0 00000b0f: PUSH2 0x0b1a 00000b12: DUP5 00000b13: DUP3 00000b14: DUP6 00000b15: ADD 00000b16: PUSH2 0x087c 00000b19: JUMP 00000b1a: JUMPDEST 00000b1b: PUSH1 0x80 00000b1d: DUP4 00000b1e: ADD 00000b1f: MSTORE 00000b20: POP 00000b21: SWAP3 00000b22: SWAP2 00000b23: POP 00000b24: POP 00000b25: JUMP 00000b26: JUMPDEST 00000b27: PUSH1 0x00 00000b29: PUSH1 0xe0 00000b2b: DUP3 00000b2c: DUP5 00000b2d: SUB 00000b2e: SLT 00000b2f: ISZERO 00000b30: PUSH2 0x0b38 00000b33: JUMPI 00000b34: PUSH1 0x00 00000b36: DUP1 00000b37: REVERT 00000b38: JUMPDEST 00000b39: PUSH2 0x0b42 00000b3c: PUSH1 0xa0 00000b3e: PUSH2 0x0f31 00000b41: JUMP 00000b42: JUMPDEST 00000b43: SWAP1 00000b44: POP 00000b45: PUSH1 0x00 00000b47: PUSH2 0x0b52 00000b4a: DUP5 00000b4b: DUP3 00000b4c: DUP6 00000b4d: ADD 00000b4e: PUSH2 0x087c 00000b51: JUMP 00000b52: JUMPDEST 00000b53: PUSH1 0x00 00000b55: DUP4 00000b56: ADD 00000b57: MSTORE 00000b58: POP 00000b59: PUSH1 0x20 00000b5b: DUP3 00000b5c: ADD 00000b5d: CALLDATALOAD 00000b5e: PUSH8 0xffffffffffffffff 00000b67: DUP2 00000b68: GT 00000b69: ISZERO 00000b6a: PUSH2 0x0b72 00000b6d: JUMPI 00000b6e: PUSH1 0x00 00000b70: DUP1 00000b71: REVERT 00000b72: JUMPDEST 00000b73: PUSH2 0x0b7e 00000b76: DUP5 00000b77: DUP3 00000b78: DUP6 00000b79: ADD 00000b7a: PUSH2 0x091a 00000b7d: JUMP 00000b7e: JUMPDEST 00000b7f: PUSH1 0x20 00000b81: DUP4 00000b82: ADD 00000b83: MSTORE 00000b84: POP 00000b85: PUSH1 0x40 00000b87: PUSH2 0x0b92 00000b8a: DUP5 00000b8b: DUP3 00000b8c: DUP6 00000b8d: ADD 00000b8e: PUSH2 0x0bc6 00000b91: JUMP 00000b92: JUMPDEST 00000b93: PUSH1 0x40 00000b95: DUP4 00000b96: ADD 00000b97: MSTORE 00000b98: POP 00000b99: PUSH1 0x60 00000b9b: PUSH2 0x0ba6 00000b9e: DUP5 00000b9f: DUP3 00000ba0: DUP6 00000ba1: ADD 00000ba2: PUSH2 0x09c6 00000ba5: JUMP 00000ba6: JUMPDEST 00000ba7: PUSH1 0x60 00000ba9: DUP4 00000baa: ADD 00000bab: MSTORE 00000bac: POP 00000bad: PUSH1 0xc0 00000baf: PUSH2 0x0bba 00000bb2: DUP5 00000bb3: DUP3 00000bb4: DUP6 00000bb5: ADD 00000bb6: PUSH2 0x087c 00000bb9: JUMP 00000bba: JUMPDEST 00000bbb: PUSH1 0x80 00000bbd: DUP4 00000bbe: ADD 00000bbf: MSTORE 00000bc0: POP 00000bc1: SWAP3 00000bc2: SWAP2 00000bc3: POP 00000bc4: POP 00000bc5: JUMP 00000bc6: JUMPDEST 00000bc7: PUSH1 0x00 00000bc9: PUSH2 0x0bd2 00000bcc: DUP3 00000bcd: CALLDATALOAD 00000bce: PUSH2 0x104b 00000bd1: JUMP 00000bd2: JUMPDEST 00000bd3: SWAP1 00000bd4: POP 00000bd5: SWAP3 00000bd6: SWAP2 00000bd7: POP 00000bd8: POP 00000bd9: JUMP 00000bda: JUMPDEST 00000bdb: PUSH1 0x00 00000bdd: PUSH2 0x0be6 00000be0: DUP3 00000be1: CALLDATALOAD 00000be2: PUSH2 0x1055 00000be5: JUMP 00000be6: JUMPDEST 00000be7: SWAP1 00000be8: POP 00000be9: SWAP3 00000bea: SWAP2 00000beb: POP 00000bec: POP 00000bed: JUMP 00000bee: JUMPDEST 00000bef: PUSH1 0x00 00000bf1: PUSH1 0x20 00000bf3: DUP3 00000bf4: DUP5 00000bf5: SUB 00000bf6: SLT 00000bf7: ISZERO 00000bf8: PUSH2 0x0c00 00000bfb: JUMPI 00000bfc: PUSH1 0x00 00000bfe: DUP1 00000bff: REVERT 00000c00: JUMPDEST 00000c01: PUSH1 0x00 00000c03: PUSH2 0x0c0e 00000c06: DUP5 00000c07: DUP3 00000c08: DUP6 00000c09: ADD 00000c0a: PUSH2 0x087c 00000c0d: JUMP 00000c0e: JUMPDEST 00000c0f: SWAP2 00000c10: POP 00000c11: POP 00000c12: SWAP3 00000c13: SWAP2 00000c14: POP 00000c15: POP 00000c16: JUMP 00000c17: JUMPDEST 00000c18: PUSH1 0x00 00000c1a: DUP1 00000c1b: PUSH1 0x00 00000c1d: PUSH1 0x60 00000c1f: DUP5 00000c20: DUP7 00000c21: SUB 00000c22: SLT 00000c23: ISZERO 00000c24: PUSH2 0x0c2c 00000c27: JUMPI 00000c28: PUSH1 0x00 00000c2a: DUP1 00000c2b: REVERT 00000c2c: JUMPDEST 00000c2d: PUSH1 0x00 00000c2f: PUSH2 0x0c3a 00000c32: DUP7 00000c33: DUP3 00000c34: DUP8 00000c35: ADD 00000c36: PUSH2 0x087c 00000c39: JUMP 00000c3a: JUMPDEST 00000c3b: SWAP4 00000c3c: POP 00000c3d: POP 00000c3e: PUSH1 0x20 00000c40: DUP5 00000c41: ADD 00000c42: CALLDATALOAD 00000c43: PUSH8 0xffffffffffffffff 00000c4c: DUP2 00000c4d: GT 00000c4e: ISZERO 00000c4f: PUSH2 0x0c57 00000c52: JUMPI 00000c53: PUSH1 0x00 00000c55: DUP1 00000c56: REVERT 00000c57: JUMPDEST 00000c58: PUSH2 0x0c63 00000c5b: DUP7 00000c5c: DUP3 00000c5d: DUP8 00000c5e: ADD 00000c5f: PUSH2 0x0970 00000c62: JUMP 00000c63: JUMPDEST 00000c64: SWAP3 00000c65: POP 00000c66: POP 00000c67: PUSH1 0x40 00000c69: PUSH2 0x0c74 00000c6c: DUP7 00000c6d: DUP3 00000c6e: DUP8 00000c6f: ADD 00000c70: PUSH2 0x0bc6 00000c73: JUMP 00000c74: JUMPDEST 00000c75: SWAP2 00000c76: POP 00000c77: POP 00000c78: SWAP3 00000c79: POP 00000c7a: SWAP3 00000c7b: POP 00000c7c: SWAP3 00000c7d: JUMP 00000c7e: JUMPDEST 00000c7f: PUSH1 0x00 00000c81: PUSH1 0x20 00000c83: DUP3 00000c84: DUP5 00000c85: SUB 00000c86: SLT 00000c87: ISZERO 00000c88: PUSH2 0x0c90 00000c8b: JUMPI 00000c8c: PUSH1 0x00 00000c8e: DUP1 00000c8f: REVERT 00000c90: JUMPDEST 00000c91: PUSH1 0x00 00000c93: DUP3 00000c94: ADD 00000c95: CALLDATALOAD 00000c96: PUSH8 0xffffffffffffffff 00000c9f: DUP2 00000ca0: GT 00000ca1: ISZERO 00000ca2: PUSH2 0x0caa 00000ca5: JUMPI 00000ca6: PUSH1 0x00 00000ca8: DUP1 00000ca9: REVERT 00000caa: JUMPDEST 00000cab: PUSH2 0x0cb6 00000cae: DUP5 00000caf: DUP3 00000cb0: DUP6 00000cb1: ADD 00000cb2: PUSH2 0x0890 00000cb5: JUMP 00000cb6: JUMPDEST 00000cb7: SWAP2 00000cb8: POP 00000cb9: POP 00000cba: SWAP3 00000cbb: SWAP2 00000cbc: POP 00000cbd: POP 00000cbe: JUMP 00000cbf: JUMPDEST 00000cc0: PUSH1 0x00 00000cc2: DUP1 00000cc3: PUSH1 0x80 00000cc5: DUP4 00000cc6: DUP6 00000cc7: SUB 00000cc8: SLT 00000cc9: ISZERO 00000cca: PUSH2 0x0cd2 00000ccd: JUMPI 00000cce: PUSH1 0x00 00000cd0: DUP1 00000cd1: REVERT 00000cd2: JUMPDEST 00000cd3: PUSH1 0x00 00000cd5: PUSH2 0x0ce0 00000cd8: DUP6 00000cd9: DUP3 00000cda: DUP7 00000cdb: ADD 00000cdc: PUSH2 0x0906 00000cdf: JUMP 00000ce0: JUMPDEST 00000ce1: SWAP3 00000ce2: POP 00000ce3: POP 00000ce4: PUSH1 0x20 00000ce6: PUSH2 0x0cf1 00000ce9: DUP6 00000cea: DUP3 00000ceb: DUP7 00000cec: ADD 00000ced: PUSH2 0x0a26 00000cf0: JUMP 00000cf1: JUMPDEST 00000cf2: SWAP2 00000cf3: POP 00000cf4: POP 00000cf5: SWAP3 00000cf6: POP 00000cf7: SWAP3 00000cf8: SWAP1 00000cf9: POP 00000cfa: JUMP 00000cfb: JUMPDEST 00000cfc: PUSH1 0x00 00000cfe: PUSH1 0x20 00000d00: DUP3 00000d01: DUP5 00000d02: SUB 00000d03: SLT 00000d04: ISZERO 00000d05: PUSH2 0x0d0d 00000d08: JUMPI 00000d09: PUSH1 0x00 00000d0b: DUP1 00000d0c: REVERT 00000d0d: JUMPDEST 00000d0e: PUSH1 0x00 00000d10: DUP3 00000d11: ADD 00000d12: CALLDATALOAD 00000d13: PUSH8 0xffffffffffffffff 00000d1c: DUP2 00000d1d: GT 00000d1e: ISZERO 00000d1f: PUSH2 0x0d27 00000d22: JUMPI 00000d23: PUSH1 0x00 00000d25: DUP1 00000d26: REVERT 00000d27: JUMPDEST 00000d28: PUSH2 0x0d33 00000d2b: DUP5 00000d2c: DUP3 00000d2d: DUP6 00000d2e: ADD 00000d2f: PUSH2 0x0b26 00000d32: JUMP 00000d33: JUMPDEST 00000d34: SWAP2 00000d35: POP 00000d36: POP 00000d37: SWAP3 00000d38: SWAP2 00000d39: POP 00000d3a: POP 00000d3b: JUMP 00000d3c: JUMPDEST 00000d3d: PUSH2 0x0d45 00000d40: DUP2 00000d41: PUSH2 0x0fde 00000d44: JUMP 00000d45: JUMPDEST 00000d46: DUP3 00000d47: MSTORE 00000d48: POP 00000d49: POP 00000d4a: JUMP 00000d4b: JUMPDEST 00000d4c: PUSH2 0x0d54 00000d4f: DUP2 00000d50: PUSH2 0x0ffe 00000d53: JUMP 00000d54: JUMPDEST 00000d55: DUP3 00000d56: MSTORE 00000d57: POP 00000d58: POP 00000d59: JUMP 00000d5a: JUMPDEST 00000d5b: PUSH2 0x0d63 00000d5e: DUP2 00000d5f: PUSH2 0x100a 00000d62: JUMP 00000d63: JUMPDEST 00000d64: DUP3 00000d65: MSTORE 00000d66: POP 00000d67: POP 00000d68: JUMP 00000d69: JUMPDEST 00000d6a: PUSH1 0x00 00000d6c: PUSH1 0x33 00000d6e: DUP3 00000d6f: MSTORE 00000d70: PUSH32 0x436f6e74726f6c6c6572206973206e6f7420617574686f72697a656420746f20 00000d91: PUSH1 0x20 00000d93: DUP4 00000d94: ADD 00000d95: MSTORE 00000d96: PUSH32 0x65786563757465207472616e73616374696f6e00000000000000000000000000 00000db7: PUSH1 0x40 00000db9: DUP4 00000dba: ADD 00000dbb: MSTORE 00000dbc: PUSH1 0x60 00000dbe: DUP3 00000dbf: ADD 00000dc0: SWAP1 00000dc1: POP 00000dc2: SWAP2 00000dc3: SWAP1 00000dc4: POP 00000dc5: JUMP 00000dc6: JUMPDEST 00000dc7: PUSH1 0x00 00000dc9: PUSH1 0x23 00000dcb: DUP3 00000dcc: MSTORE 00000dcd: PUSH32 0x5472616e73616374696f6e206661696c656420647572696e6720657865637574 00000dee: PUSH1 0x20 00000df0: DUP4 00000df1: ADD 00000df2: MSTORE 00000df3: PUSH32 0x696f6e0000000000000000000000000000000000000000000000000000000000 00000e14: PUSH1 0x40 00000e16: DUP4 00000e17: ADD 00000e18: MSTORE 00000e19: PUSH1 0x60 00000e1b: DUP3 00000e1c: ADD 00000e1d: SWAP1 00000e1e: POP 00000e1f: SWAP2 00000e20: SWAP1 00000e21: POP 00000e22: JUMP 00000e23: JUMPDEST 00000e24: PUSH2 0x0e2c 00000e27: DUP2 00000e28: PUSH2 0x1014 00000e2b: JUMP 00000e2c: JUMPDEST 00000e2d: DUP3 00000e2e: MSTORE 00000e2f: POP 00000e30: POP 00000e31: JUMP 00000e32: JUMPDEST 00000e33: PUSH1 0x00 00000e35: PUSH1 0x20 00000e37: DUP3 00000e38: ADD 00000e39: SWAP1 00000e3a: POP 00000e3b: PUSH2 0x0e47 00000e3e: PUSH1 0x00 00000e40: DUP4 00000e41: ADD 00000e42: DUP5 00000e43: PUSH2 0x0d3c 00000e46: JUMP 00000e47: JUMPDEST 00000e48: SWAP3 00000e49: SWAP2 00000e4a: POP 00000e4b: POP 00000e4c: JUMP 00000e4d: JUMPDEST 00000e4e: PUSH1 0x00 00000e50: PUSH1 0x40 00000e52: DUP3 00000e53: ADD 00000e54: SWAP1 00000e55: POP 00000e56: PUSH2 0x0e62 00000e59: PUSH1 0x00 00000e5b: DUP4 00000e5c: ADD 00000e5d: DUP6 00000e5e: PUSH2 0x0d3c 00000e61: JUMP 00000e62: JUMPDEST 00000e63: PUSH2 0x0e6f 00000e66: PUSH1 0x20 00000e68: DUP4 00000e69: ADD 00000e6a: DUP5 00000e6b: PUSH2 0x0d3c 00000e6e: JUMP 00000e6f: JUMPDEST 00000e70: SWAP4 00000e71: SWAP3 00000e72: POP 00000e73: POP 00000e74: POP 00000e75: JUMP 00000e76: JUMPDEST 00000e77: PUSH1 0x00 00000e79: PUSH1 0x20 00000e7b: DUP3 00000e7c: ADD 00000e7d: SWAP1 00000e7e: POP 00000e7f: PUSH2 0x0e8b 00000e82: PUSH1 0x00 00000e84: DUP4 00000e85: ADD 00000e86: DUP5 00000e87: PUSH2 0x0d4b 00000e8a: JUMP 00000e8b: JUMPDEST 00000e8c: SWAP3 00000e8d: SWAP2 00000e8e: POP 00000e8f: POP 00000e90: JUMP 00000e91: JUMPDEST 00000e92: PUSH1 0x00 00000e94: PUSH1 0x20 00000e96: DUP3 00000e97: ADD 00000e98: SWAP1 00000e99: POP 00000e9a: PUSH2 0x0ea6 00000e9d: PUSH1 0x00 00000e9f: DUP4 00000ea0: ADD 00000ea1: DUP5 00000ea2: PUSH2 0x0d5a 00000ea5: JUMP 00000ea6: JUMPDEST 00000ea7: SWAP3 00000ea8: SWAP2 00000ea9: POP 00000eaa: POP 00000eab: JUMP 00000eac: JUMPDEST 00000ead: PUSH1 0x00 00000eaf: PUSH1 0x80 00000eb1: DUP3 00000eb2: ADD 00000eb3: SWAP1 00000eb4: POP 00000eb5: PUSH2 0x0ec1 00000eb8: PUSH1 0x00 00000eba: DUP4 00000ebb: ADD 00000ebc: DUP8 00000ebd: PUSH2 0x0d5a 00000ec0: JUMP 00000ec1: JUMPDEST 00000ec2: PUSH2 0x0ece 00000ec5: PUSH1 0x20 00000ec7: DUP4 00000ec8: ADD 00000ec9: DUP7 00000eca: PUSH2 0x0e23 00000ecd: JUMP 00000ece: JUMPDEST 00000ecf: PUSH2 0x0edb 00000ed2: PUSH1 0x40 00000ed4: DUP4 00000ed5: ADD 00000ed6: DUP6 00000ed7: PUSH2 0x0d5a 00000eda: JUMP 00000edb: JUMPDEST 00000edc: PUSH2 0x0ee8 00000edf: PUSH1 0x60 00000ee1: DUP4 00000ee2: ADD 00000ee3: DUP5 00000ee4: PUSH2 0x0d5a 00000ee7: JUMP 00000ee8: JUMPDEST 00000ee9: SWAP6 00000eea: SWAP5 00000eeb: POP 00000eec: POP 00000eed: POP 00000eee: POP 00000eef: POP 00000ef0: JUMP 00000ef1: JUMPDEST 00000ef2: PUSH1 0x00 00000ef4: PUSH1 0x20 00000ef6: DUP3 00000ef7: ADD 00000ef8: SWAP1 00000ef9: POP 00000efa: DUP2 00000efb: DUP2 00000efc: SUB 00000efd: PUSH1 0x00 00000eff: DUP4 00000f00: ADD 00000f01: MSTORE 00000f02: PUSH2 0x0f0a 00000f05: DUP2 00000f06: PUSH2 0x0d69 00000f09: JUMP 00000f0a: JUMPDEST 00000f0b: SWAP1 00000f0c: POP 00000f0d: SWAP2 00000f0e: SWAP1 00000f0f: POP 00000f10: JUMP 00000f11: JUMPDEST 00000f12: PUSH1 0x00 00000f14: PUSH1 0x20 00000f16: DUP3 00000f17: ADD 00000f18: SWAP1 00000f19: POP 00000f1a: DUP2 00000f1b: DUP2 00000f1c: SUB 00000f1d: PUSH1 0x00 00000f1f: DUP4 00000f20: ADD 00000f21: MSTORE 00000f22: PUSH2 0x0f2a 00000f25: DUP2 00000f26: PUSH2 0x0dc6 00000f29: JUMP 00000f2a: JUMPDEST 00000f2b: SWAP1 00000f2c: POP 00000f2d: SWAP2 00000f2e: SWAP1 00000f2f: POP 00000f30: JUMP 00000f31: JUMPDEST 00000f32: PUSH1 0x00 00000f34: PUSH1 0x40 00000f36: MLOAD 00000f37: SWAP1 00000f38: POP 00000f39: DUP2 00000f3a: DUP2 00000f3b: ADD 00000f3c: DUP2 00000f3d: DUP2 00000f3e: LT 00000f3f: PUSH8 0xffffffffffffffff 00000f48: DUP3 00000f49: GT 00000f4a: OR 00000f4b: ISZERO 00000f4c: PUSH2 0x0f54 00000f4f: JUMPI 00000f50: PUSH1 0x00 00000f52: DUP1 00000f53: REVERT 00000f54: JUMPDEST 00000f55: DUP1 00000f56: PUSH1 0x40 00000f58: MSTORE 00000f59: POP 00000f5a: SWAP2 00000f5b: SWAP1 00000f5c: POP 00000f5d: JUMP 00000f5e: JUMPDEST 00000f5f: PUSH1 0x00 00000f61: PUSH8 0xffffffffffffffff 00000f6a: DUP3 00000f6b: GT 00000f6c: ISZERO 00000f6d: PUSH2 0x0f75 00000f70: JUMPI 00000f71: PUSH1 0x00 00000f73: DUP1 00000f74: REVERT 00000f75: JUMPDEST 00000f76: PUSH1 0x20 00000f78: DUP3 00000f79: MUL 00000f7a: SWAP1 00000f7b: POP 00000f7c: PUSH1 0x20 00000f7e: DUP2 00000f7f: ADD 00000f80: SWAP1 00000f81: POP 00000f82: SWAP2 00000f83: SWAP1 00000f84: POP 00000f85: JUMP 00000f86: JUMPDEST 00000f87: PUSH1 0x00 00000f89: PUSH8 0xffffffffffffffff 00000f92: DUP3 00000f93: GT 00000f94: ISZERO 00000f95: PUSH2 0x0f9d 00000f98: JUMPI 00000f99: PUSH1 0x00 00000f9b: DUP1 00000f9c: REVERT 00000f9d: JUMPDEST 00000f9e: PUSH1 0x1f 00000fa0: NOT 00000fa1: PUSH1 0x1f 00000fa3: DUP4 00000fa4: ADD 00000fa5: AND 00000fa6: SWAP1 00000fa7: POP 00000fa8: PUSH1 0x20 00000faa: DUP2 00000fab: ADD 00000fac: SWAP1 00000fad: POP 00000fae: SWAP2 00000faf: SWAP1 00000fb0: POP 00000fb1: JUMP 00000fb2: JUMPDEST 00000fb3: PUSH1 0x00 00000fb5: PUSH8 0xffffffffffffffff 00000fbe: DUP3 00000fbf: GT 00000fc0: ISZERO 00000fc1: PUSH2 0x0fc9 00000fc4: JUMPI 00000fc5: PUSH1 0x00 00000fc7: DUP1 00000fc8: REVERT 00000fc9: JUMPDEST 00000fca: PUSH1 0x1f 00000fcc: NOT 00000fcd: PUSH1 0x1f 00000fcf: DUP4 00000fd0: ADD 00000fd1: AND 00000fd2: SWAP1 00000fd3: POP 00000fd4: PUSH1 0x20 00000fd6: DUP2 00000fd7: ADD 00000fd8: SWAP1 00000fd9: POP 00000fda: SWAP2 00000fdb: SWAP1 00000fdc: POP 00000fdd: JUMP 00000fde: JUMPDEST 00000fdf: PUSH1 0x00 00000fe1: PUSH20 0xffffffffffffffffffffffffffffffffffffffff 00000ff6: DUP3 00000ff7: AND 00000ff8: SWAP1 00000ff9: POP 00000ffa: SWAP2 00000ffb: SWAP1 00000ffc: POP 00000ffd: JUMP 00000ffe: JUMPDEST 00000fff: PUSH1 0x00 00001001: DUP2 00001002: ISZERO 00001003: ISZERO 00001004: SWAP1 00001005: POP 00001006: SWAP2 00001007: SWAP1 00001008: POP 00001009: JUMP 0000100a: JUMPDEST 0000100b: PUSH1 0x00 0000100d: DUP2 0000100e: SWAP1 0000100f: POP 00001010: SWAP2 00001011: SWAP1 00001012: POP 00001013: JUMP 00001014: JUMPDEST 00001015: PUSH1 0x00 00001017: PUSH1 0xff 00001019: DUP3 0000101a: AND 0000101b: SWAP1 0000101c: POP 0000101d: SWAP2 0000101e: SWAP1 0000101f: POP 00001020: JUMP 00001021: JUMPDEST 00001022: PUSH1 0x00 00001024: PUSH20 0xffffffffffffffffffffffffffffffffffffffff 00001039: DUP3 0000103a: AND 0000103b: SWAP1 0000103c: POP 0000103d: SWAP2 0000103e: SWAP1 0000103f: POP 00001040: JUMP 00001041: JUMPDEST 00001042: PUSH1 0x00 00001044: DUP2 00001045: SWAP1 00001046: POP 00001047: SWAP2 00001048: SWAP1 00001049: POP 0000104a: JUMP 0000104b: JUMPDEST 0000104c: PUSH1 0x00 0000104e: DUP2 0000104f: SWAP1 00001050: POP 00001051: SWAP2 00001052: SWAP1 00001053: POP 00001054: JUMP 00001055: JUMPDEST 00001056: PUSH1 0x00 00001058: PUSH1 0xff 0000105a: DUP3 0000105b: AND 0000105c: SWAP1 0000105d: POP 0000105e: SWAP2 0000105f: SWAP1 00001060: POP 00001061: JUMP 00001062: JUMPDEST 00001063: DUP3 00001064: DUP2 00001065: DUP4 00001066: CALLDATACOPY 00001067: PUSH1 0x00 00001069: DUP4 0000106a: DUP4 0000106b: ADD 0000106c: MSTORE 0000106d: POP 0000106e: POP 0000106f: POP 00001070: JUMP 00001071: STOP 00001072: LOG2 00001073: PUSH6 0x627a7a723058 0000107a: KECCAK256 0000107b: ADDMOD 0000107c: DUP3 0000107d: CREATE2 0000107e: UNKNOWN(0xE6) 0000107f: ISZERO 00001080: UNKNOWN(0xD2) 00001081: RETURN 00001082: PUSH10 0x0ee950d0850b981d4995 0000108d: PUSH26 0xb01fcef47c34ed827e06bd84a76c6578706572696d656e74616c 000010a8: CREATE2 000010a9: STOP 000010aa: CALLDATACOPY
| Severity | Category | Tool | Title | Confidence | Validated | Confirmed | Details |
|---|---|---|---|---|---|---|---|
| high | auth | codex | Replayable signed transactions (no nonce/used-hash tracking) allow repeated withdrawals | 85 | no | — |
viewevidence_json{
"evidence": "Signature verification uses ecrecover via precompile call (PUSH1 0x01 then CALL at 0x07c6\u20130x0809) after hashing with the Ethereum Signed Message prefix (0x36e includes 0x19457468... at 0x0434). Execution path (0x04d3) calls the signature check (jump to 0x0218 at 0x0533\u20130x0537) and then performs the external CALL (0x05fd). There is no SSTORE in the execution path; the only runtime SSTORE is at 0x074d (controller update), so no nonce/used-hash is ever recorded.",
"locations": [
"runtime_bytecode.hex:0x04d3",
"runtime_bytecode.hex:0x0218",
"runtime_bytecode.hex:0x036e",
"runtime_bytecode.hex:0x07c6",
"runtime_bytecode.hex:0x0809",
"runtime_bytecode.hex:0x074d"
],
"recommendation": "Include a nonce or transaction-hash replay protection in storage (e.g., incrementing nonce or mapping used hashes) and verify it as part of the signed message before executing.",
"exploit_scenario": "1) Observe or obtain a valid signed transaction payload (e.g., a one-time payout to your address) used with selector 0x62c529e4. 2) Call the same function again with the exact same payload/signature. 3) Because no nonce/used-hash is stored, the signature check passes every time and the contract re-executes the underlying CALL, transferring ETH/tokens repeatedly until the balance is exhausted."
}
|
| medium | other | detector | Untrusted CALL target/value reachable | 45 | no | no |
viewtrace_id: 0x8621ab2aba118b4ed16b1f6e3089b96ed371f7529b9e4c4141ecbe0d88a73a3b
call_targets:
0x135bbbf1903c61fa25596ee4e27b8f14ed968c04
target_varies:
no
classification:
constant_target
validation_json{
"sink": "CALL",
"errors": 0,
"status": "sink_reached",
"attempts": 1,
"trace_id": "0x8621ab2aba118b4ed16b1f6e3089b96ed371f7529b9e4c4141ecbe0d88a73a3b",
"confirmed": false,
"trace_mode": "callTracer",
"call_targets": [
"0x135bbbf1903c61fa25596ee4e27b8f14ed968c04"
],
"matched_probe": null,
"target_varies": false,
"classification": "constant_target"
}
witness_json{
"notes": "heuristic witness; entrypoints are best-effort selectors with zeroed calldata",
"constraints": [],
"entrypoints": [
{
"calldata": "0xffffffff",
"selector": "0xffffffff",
"calldata_variants": [
"0xffffffff",
"0xffffffff0000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x049e1d4d",
"selector": "0x049e1d4d",
"calldata_variants": [
"0x049e1d4d",
"0x049e1d4d0000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x10bfce71",
"selector": "0x10bfce71",
"calldata_variants": [
"0x10bfce71",
"0x10bfce710000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x3018205f",
"selector": "0x3018205f",
"calldata_variants": [
"0x3018205f",
"0x3018205f0000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x4ee7f87d",
"selector": "0x4ee7f87d",
"calldata_variants": [
"0x4ee7f87d",
"0x4ee7f87d0000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x62c529e4",
"selector": "0x62c529e4",
"calldata_variants": [
"0x62c529e4",
"0x62c529e40000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x92eefe9b",
"selector": "0x92eefe9b",
"calldata_variants": [
"0x92eefe9b",
"0x92eefe9b0000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0xee8bd82d",
"selector": "0xee8bd82d",
"calldata_variants": [
"0xee8bd82d",
"0xee8bd82d0000000000000000000000000000000000000000000000000000000000000000"
]
}
]
}
evidence_json{
"examples": [
{
"pc": 1533,
"opcode": "CALL",
"returndata_checked": null,
"value_expression_category": "computed",
"target_expression_category": "computed"
},
{
"pc": 2057,
"opcode": "CALL",
"returndata_checked": null,
"value_expression_category": "computed",
"target_expression_category": "computed"
}
],
"call_count": 2,
"guards_detected": [
{
"pc": 1778,
"type": "msg_sender_eq_const",
"value": "0xffffffffffffffffffffffffffffffffffffffff"
}
],
"untrusted_call_count": 2
}
|
| medium | other | detector | ETH value transfer possible | 40 | no | no |
viewtrace_id: 0x8621ab2aba118b4ed16b1f6e3089b96ed371f7529b9e4c4141ecbe0d88a73a3b
call_targets:
0x135bbbf1903c61fa25596ee4e27b8f14ed968c04
target_varies:
no
classification:
constant_target
validation_json{
"sink": "CALL",
"errors": 0,
"status": "sink_reached",
"attempts": 1,
"trace_id": "0x8621ab2aba118b4ed16b1f6e3089b96ed371f7529b9e4c4141ecbe0d88a73a3b",
"confirmed": false,
"trace_mode": "callTracer",
"call_targets": [
"0x135bbbf1903c61fa25596ee4e27b8f14ed968c04"
],
"matched_probe": null,
"target_varies": false,
"classification": "constant_target"
}
witness_json{
"notes": "heuristic witness; entrypoints are best-effort selectors with zeroed calldata",
"constraints": [],
"entrypoints": [
{
"calldata": "0xffffffff",
"selector": "0xffffffff",
"calldata_variants": [
"0xffffffff",
"0xffffffff0000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x049e1d4d",
"selector": "0x049e1d4d",
"calldata_variants": [
"0x049e1d4d",
"0x049e1d4d0000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x10bfce71",
"selector": "0x10bfce71",
"calldata_variants": [
"0x10bfce71",
"0x10bfce710000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x3018205f",
"selector": "0x3018205f",
"calldata_variants": [
"0x3018205f",
"0x3018205f0000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x4ee7f87d",
"selector": "0x4ee7f87d",
"calldata_variants": [
"0x4ee7f87d",
"0x4ee7f87d0000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x62c529e4",
"selector": "0x62c529e4",
"calldata_variants": [
"0x62c529e4",
"0x62c529e40000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x92eefe9b",
"selector": "0x92eefe9b",
"calldata_variants": [
"0x92eefe9b",
"0x92eefe9b0000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0xee8bd82d",
"selector": "0xee8bd82d",
"calldata_variants": [
"0xee8bd82d",
"0xee8bd82d0000000000000000000000000000000000000000000000000000000000000000"
]
}
]
}
evidence_json{
"examples": [
{
"pc": 1533,
"opcode": "CALL",
"returndata_checked": null,
"value_expression_category": "computed",
"target_expression_category": "computed"
},
{
"pc": 2057,
"opcode": "CALL",
"returndata_checked": null,
"value_expression_category": "computed",
"target_expression_category": "computed"
}
],
"eth_value_calls": 2,
"guards_detected": [
{
"pc": 1778,
"type": "msg_sender_eq_const",
"value": "0xffffffffffffffffffffffffffffffffffffffff"
}
]
}
|
| medium | other | detector | CREATE/CREATE2 reachable | 45 | no | no |
viewtrace_id: 0x9d47ca59bcd527d5f489bf3ce9e4e5043c5ac099d0f058574a00ad16f59c04ee
validation_json{
"sink": "CREATE",
"errors": 0,
"status": "unknown",
"attempts": 18,
"trace_id": "0x9d47ca59bcd527d5f489bf3ce9e4e5043c5ac099d0f058574a00ad16f59c04ee",
"confirmed": false,
"trace_mode": "structLogs",
"call_targets": null,
"matched_probe": null,
"target_varies": null,
"classification": "no_sink"
}
witness_json{
"notes": "heuristic witness; entrypoints are best-effort selectors with zeroed calldata",
"constraints": [],
"entrypoints": [
{
"calldata": "0xffffffff",
"selector": "0xffffffff",
"calldata_variants": [
"0xffffffff",
"0xffffffff0000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x049e1d4d",
"selector": "0x049e1d4d",
"calldata_variants": [
"0x049e1d4d",
"0x049e1d4d0000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x10bfce71",
"selector": "0x10bfce71",
"calldata_variants": [
"0x10bfce71",
"0x10bfce710000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x3018205f",
"selector": "0x3018205f",
"calldata_variants": [
"0x3018205f",
"0x3018205f0000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x4ee7f87d",
"selector": "0x4ee7f87d",
"calldata_variants": [
"0x4ee7f87d",
"0x4ee7f87d0000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x62c529e4",
"selector": "0x62c529e4",
"calldata_variants": [
"0x62c529e4",
"0x62c529e40000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x92eefe9b",
"selector": "0x92eefe9b",
"calldata_variants": [
"0x92eefe9b",
"0x92eefe9b0000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0xee8bd82d",
"selector": "0xee8bd82d",
"calldata_variants": [
"0xee8bd82d",
"0xee8bd82d0000000000000000000000000000000000000000000000000000000000000000"
]
}
]
}
evidence_json{
"create_count": 0,
"create2_count": 2
}
|
| low | other | cast | Contract creation opcode present | 60 | no | — |
viewevidence_json{
"notes": "runtime can deploy contracts dynamically via CREATE/CREATE2",
"create_count": 0,
"create2_count": 2
}
|