TW
Tripwire
Find contracts. Test them. Review real vulns.

Analysis Run

e9614a24-c933-49b6-88ea-ffee16af7229

complete
Chain ID
1
Address
0xbb44e3349c23cc430cae6ebbaf0256c9f2a1872f
Block Number
Created
Thu, Jan 1, 2026 9:09 PM
Review Summary

What survived the funnel

Open this run to answer one question: is this real attacker-relevant behavior with real impact, or just normal contract plumbing?

back to vulns open contract
Confirmed
0
Validated
0
Source
Bytecode only
Review Backing
Not yet
Best current signal
Untrusted DELEGATECALL target reachable
crit 0 high 0 direct contract
Review Checklist
1. Read the findings table first. Ignore raw jobs until the result looks real.
2. Confirm attacker control, not just the existence of a sink.
3. Confirm money or privilege impact.
4. Keep it if the behavior is real. Kill it if this is normal proxy, admin, or upgrade plumbing.

Processing Jobs

Status & attempts
ID Type Status Attempts Heartbeat
31132 report.consolidate complete 1 / 1 3 months ago
76606 artifact.fetch complete 1 / 3 1 week ago
76607 tool.cast_disasm complete 1 / 3 1 week ago
76608 analysis.bundle complete 1 / 3 1 week ago
76609 capability.graph complete 1 / 3 1 week ago
76610 detector.run complete 1 / 3 1 week ago
76611 validation.fork complete 1 / 3 1 week ago

Artifact

Runtime bytecode: available
Creation TX:
Deployer:
Proxy: no
Implementation:
Verified Source: no

Slither

tool.slither

No slither job recorded yet.

Codex

report.consolidate
Job Status
complete
Attempts
1 / 1
Findings
0
No findings?
yes
Summary
No concrete, exploitable path to extract value identified in the provided runtime bytecode.
View stderr 
[codex:535965] OpenAI Codex v0.77.0 (research preview)
[codex:535965] --------
[codex:535965] workdir: /tmp/codex-multi-ucreydj3
[codex:535965] model: gpt-5.2-codex
[codex:535965] provider: openai
[codex:535965] approval: never
[codex:535965] sandbox: read-only
[codex:535965] reasoning effort: xhigh
[codex:535965] reasoning summaries: auto
[codex:535965] session id: 019b7b5f-8803-7f12-9363-45aab01c5291
[codex:535965] --------
[codex:535965] user
[codex:535965] You are a profit-focused exploit hunter analyzing EVM bytecode. Your ONLY goal is finding ways to extract value (ETH, tokens, NFTs) from this contract.
[codex:535965] 
[codex:535965] Read `BYTECODE_BUNDLE.txt` completely before concluding.
[codex:535965] 
[codex:535965] ONLY REPORT if you find a CONCRETE, EXPLOITABLE path to profit. We do NOT care about:
[codex:535965] - Gas inefficiency, code quality, or best practices
[codex:535965] - Theoretical vulnerabilities without a clear extraction path
[codex:535965] - Generic footguns (unchecked return values, etc.) unless they enable theft
[codex:535965] - Issues requiring social engineering or off-chain coordination
[codex:535965] 
[codex:535965] PATTERNS WORTH INVESTIGATING in bytecode:
[codex:535965] - CALL/DELEGATECALL with controllable destination or calldata
[codex:535965] - Value transfers (CALL with non-zero value) without prior CALLER/ORIGIN checks
[codex:535965] - SSTORE to low slots (0-10) that might be owner/admin storage
[codex:535965] - ecrecover (signature validation) - look for missing nonce/replay protection
[codex:535965] - External calls before state updates (reentrancy)
[codex:535965] - SELFDESTRUCT with controllable beneficiary
[codex:535965] - Proxy patterns (DELEGATECALL to storage slot) with unprotected upgrade paths
[codex:535965] 
[codex:535965] For each finding, you MUST explain:
[codex:535965] 1. The specific bytecode pattern/offsets that indicate the vulnerability
[codex:535965] 2. The concrete sequence of transactions to extract value
[codex:535965] 3. Why you believe this is exploitable (not just suspicious)
[codex:535965] 
[codex:535965] If you cannot identify a concrete profit path from bytecode alone: set no_findings=true.
[codex:535965] Do NOT hallucinate. Bytecode-only analysis is limited - be honest about uncertainty.
[codex:535965] 
[codex:535965] Output MUST be valid JSON matching the provided schema.
[codex:535965] - severity: info, low, medium, high, critical (use high/critical ONLY for clear extraction paths)
[codex:535965] - category: access_control, reentrancy, math, oracle, upgradeability, auth, other
[codex:535965] mcp startup: no servers
[codex:535965] 
[codex:535965] thinking
[codex:535965] **Preparing to read BYTECODE_BUNDLE.txt**
[codex:535965] exec
[codex:535965] /bin/bash -lc ls in /tmp/codex-multi-ucreydj3 succeeded in 5ms:
[codex:535965] BYTECODE_BUNDLE.txt
[codex:535965] codex-output-schema.json
[codex:535965] 
[codex:535965] thinking
[codex:535965] **Reading BYTECODE_BUNDLE.txt**
[codex:535965] exec
[codex:535965] /bin/bash -lc 'cat BYTECODE_BUNDLE.txt' in /tmp/codex-multi-ucreydj3 succeeded in 5ms:
[codex:535965] Runtime bytecode bundle for best-effort auditing.
[codex:535965] Note: without verified source, conclusions are low-confidence unless a concrete pattern is visible.
[codex:535965] 
[codex:535965] FILE: runtime_bytecode.hex
[codex:535965] 0x60806040526004361061004a5760003560e01c80630a0a05e6146101d05780636b9f96ea14610203578063715018a6146102185780638da5cb5b1461022d578063f2fde38b1461025e575b341561009057604080513481529051600091829133917f700447ec4170a8ebc6b67182ac966faf6dff7d46dc24a1a4a7f0a98e84db9cec919081900360200190a46101ce565b610098610291565b6001600160a01b0316336001600160a01b031614156101ce577368ef21a0168bcf753871e9fc26c86dd482cdd03560008082634a91da906100dc6020843681610505565b60208110156100ea57600080fd5b50604080516001600160e01b031960e085901b16815291356004830152516024808301926020929190829003018186803b15801561012757600080fd5b505afa15801561013b573d6000803e3d6000fd5b505050506040513d602081101561015157600080fd5b50516040519091506001600160a01b0382169060009036908083838082843760405192019450600093509091505080830381855af49150503d80600081146101b5576040519150601f19603f3d011682016040523d82523d6000602084013e6101ba565b606091505b505080925050816101ca57600080fd5b5050505b005b3480156101dc57600080fd5b506101ce600480360360208110156101f357600080fd5b50356001600160a01b03166102a0565b34801561020f57600080fd5b506101ce610321565b34801561022457600080fd5b506101ce61035d565b34801561023957600080fd5b50610242610291565b604080516001600160a01b039092168252519081900360200190f35b34801561026a57600080fd5b506101ce6004803603602081101561028157600080fd5b50356001600160a01b0316610406565b6000546001600160a01b031690565b6000546001600160a01b031633146102ff576040805162461bcd60e51b815260206004820181905260248201527f4f776e61626c653a2063616c6c6572206973206e6f7420746865206f776e6572604482015290519081900360640190fd5b600180546001600160a01b0319166001600160a01b0392909216919091179055565b6001546040516001600160a01b03909116904780156108fc02916000818181858888f1935050505015801561035a573d6000803e3d6000fd5b50565b6000546001600160a01b031633146103bc576040805162461bcd60e51b815260206004820181905260248201527f4f776e61626c653a2063616c6c6572206973206e6f7420746865206f776e6572604482015290519081900360640190fd5b600080546040516001600160a01b03909116907f8be0079c531659141344cd1fd0a4f28419497f9722a3daafe3b4186f6b6457e0908390a3600080546001600160a01b0319169055565b6000546001600160a01b03163314610465576040805162461bcd60e51b815260206004820181905260248201527f4f776e61626c653a2063616c6c6572206973206e6f7420746865206f776e6572604482015290519081900360640190fd5b6001600160a01b0381166104aa5760405162461bcd60e51b815260040180806020018281038252602681526020018061052e6026913960400191505060405180910390fd5b600080546040516001600160a01b03808516939216917f8be0079c531659141344cd1fd0a4f28419497f9722a3daafe3b4186f6b6457e091a3600080546001600160a01b0319166001600160a01b0392909216919091179055565b60008085851115610514578182fd5b83861115610520578182fd5b505082019391909203915056fe4f776e61626c653a206e6577206f776e657220697320746865207a65726f2061646472657373a2646970667358221220fad1e906c98982cbc98b1fd610864eeabe3e860aff044a5b3a54d5dd624923dc64736f6c634300060c0033
[codex:535965] 
[codex:535965] thinking
[codex:535965] **Decoding bytecode functions and ownership logic**
[codex:535965] 
[codex:535965] I'm analyzing the bytecode to identify function selectors and their roles, especially around ownership and withdrawal. I mapped standard Ownable functions like owner(), transferOwnership(), and renounceOwnership(), and I'm interpreting a suspicious function (6b9f96ea) that might handle withdrawing funds by calling another address with the contract balance. I'm planning to disassemble parts manually and potentially script disassembly to validate these hypotheses and detect any exploit paths.
[codex:535965] exec
[codex:535965] /bin/bash -lc "python - <<'PY'
[codex:535965] from binascii import unhexlify
[codex:535965] import textwrap
[codex:535965] hexstr='''60806040526004361061004a5760003560e01c80630a0a05e6146101d05780636b9f96ea14610203578063715018a6146102185780638da5cb5b1461022d578063f2fde38b1461025e575b341561009057604080513481529051600091829133917f700447ec4170a8ebc6b67182ac966faf6dff7d46dc24a1a4a7f0a98e84db9cec919081900360200190a46101ce565b610098610291565b6001600160a01b0316336001600160a01b031614156101ce577368ef21a0168bcf753871e9fc26c86dd482cdd03560008082634a91da906100dc6020843681610505565b60208110156100ea57600080fd5b50604080516001600160e01b031960e085901b16815291356004830152516024808301926020929190829003018186803b15801561012757600080fd5b505afa15801561013b573d6000803e3d6000fd5b505050506040513d602081101561015157600080fd5b50516040519091506001600160a01b0382169060009036908083838082843760405192019450600093509091505080830381855af49150503d80600081146101b5576040519150601f19603f3d011682016040523d82523d6000602084013e6101ba565b606091505b505080925050816101ca57600080fd5b5050505b005b3480156101dc57600080fd5b506101ce600480360360208110156101f357600080fd5b50356001600160a01b03166102a0565b34801561020f57600080fd5b506101ce610321565b34801561022457600080fd5b506101ce61035d565b34801561023957600080fd5b50610242610291565b604080516001600160a01b039092168252519081900360200190f35b34801561026a57600080fd5b506101ce6004803603602081101561028157600080fd5b50356001600160a01b0316610406565b6000546001600160a01b031690565b6000546001600160a01b031633146102ff576040805162461bcd60e51b815260206004820181905260248201527f4f776e61626c653a2063616c6c6572206973206e6f7420746865206f776e6572604482015290519081900360640190fd5b600180546001600160a01b0319166001600160a01b0392909216919091179055565b6001546040516001600160a01b03909116904780156108fc02916000818181858888f1935050505015801561035a573d6000803e3d6000fd5b50565b6000546001600160a01b031633146103bc576040805162461bcd60e51b815260206004820181905260248201527f4f776e61626c653a2063616c6c6572206973206e6f7420746865206f776e6572604482015290519081900360640190fd5b600080546040516001600160a01b03909116907f8be0079c531659141344cd1fd0a4f28419497f9722a3daafe3b4186f6b6457e0908390a3600080546001600160a01b0319169055565b6000546001600160a01b03163314610465576040805162461bcd60e51b815260206004820181905260248201527f4f776e61626c653a2063616c6c6572206973206e6f7420746865206f776e6572604482015290519081900360640190fd5b6001600160a01b0381166104aa5760405162461bcd60e51b815260040180806020018281038252602681526020018061052e6026913960400191505060405180910390fd5b600080546040516001600160a01b03808516939216917f8be0079c531659141344cd1fd0a4f28419497f9722a3daafe3b4186f6b6457e091a3600080546001600160a01b0319166001600160a01b0392909216919091179055565b60008085851115610514578182fd5b83861115610520578182fd5b505082019391909203915056fe4f776e61626c653a206e6577206f776e657220697320746865207a65726f2061646472657373a2646970667358221220fad1e906c98982cbc98b1fd610864eeabe3e860aff044a5b3a54d5dd624923dc64736f6c634300060c0033'''.strip()
[codex:535965] 
[codex:535965] # Simple disassembler
[codex:535965] opcodes = {
[codex:535965]     0x00: 'STOP', 0x01: 'ADD', 0x02: 'MUL', 0x03: 'SUB', 0x04: 'DIV', 0x05: 'SDIV', 0x06: 'MOD', 0x07: 'SMOD', 0x08: 'ADDMOD', 0x09: 'MULMOD', 0x0a: 'EXP', 0x0b: 'SIGNEXTEND',
[codex:535965]     0x10: 'LT', 0x11: 'GT', 0x12: 'SLT', 0x13: 'SGT', 0x14: 'EQ', 0x15: 'ISZERO', 0x16: 'AND', 0x17: 'OR', 0x18: 'XOR', 0x19: 'NOT', 0x1a: 'BYTE', 0x1b: 'SHL', 0x1c: 'SHR', 0x1d: 'SAR',
[codex:535965]     0x20: 'SHA3',
[codex:535965]     0x30: 'ADDRESS', 0x31: 'BALANCE', 0x32: 'ORIGIN', 0x33: 'CALLER', 0x34: 'CALLVALUE', 0x35: 'CALLDATALOAD', 0x36: 'CALLDATASIZE', 0x37: 'CALLDATACOPY', 0x38: 'CODESIZE', 0x39: 'CODECOPY', 0x3a: 'GASPRICE', 0x3b: 'EXTCODESIZE', 0x3c: 'EXTCODECOPY', 0x3d: 'RETURNDATASIZE', 0x3e: 'RETURNDATACOPY', 0x3f: 'EXTCODEHASH',
[codex:535965]     0x40: 'BLOCKHASH', 0x41: 'COINBASE', 0x42: 'TIMESTAMP', 0x43: 'NUMBER', 0x44: 'DIFFICULTY', 0x45: 'GASLIMIT', 0x46: 'CHAINID', 0x47: 'SELFBALANCE', 0x48: 'BASEFEE',
[codex:535965]     0x50: 'POP', 0x51: 'MLOAD', 0x52: 'MSTORE', 0x53: 'MSTORE8', 0x54: 'SLOAD', 0x55: 'SSTORE', 0x56: 'JUMP', 0x57: 'JUMPI', 0x58: 'PC', 0x59: 'MSIZE', 0x5a: 'GAS', 0x5b: 'JUMPDEST',
[codex:535965]     0x60: 'PUSH1', 0x61: 'PUSH2', 0x62: 'PUSH3', 0x63: 'PUSH4', 0x64: 'PUSH5', 0x65: 'PUSH6', 0x66: 'PUSH7', 0x67: 'PUSH8', 0x68: 'PUSH9', 0x69: 'PUSH10', 0x6a: 'PUSH11', 0x6b: 'PUSH12', 0x6c: 'PUSH13', 0x6d: 'PUSH14', 0x6e: 'PUSH15', 0x6f: 'PUSH16',
[codex:535965]     0x70: 'PUSH17', 0x71: 'PUSH18', 0x72: 'PUSH19', 0x73: 'PUSH20', 0x74: 'PUSH21', 0x75: 'PUSH22', 0x76: 'PUSH23', 0x77: 'PUSH24', 0x78: 'PUSH25', 0x79: 'PUSH26', 0x7a: 'PUSH27', 0x7b: 'PUSH28', 0x7c: 'PUSH29', 0x7d: 'PUSH30', 0x7e: 'PUSH31', 0x7f: 'PUSH32',
[codex:535965]     0x80: 'DUP1', 0x81: 'DUP2', 0x82: 'DUP3', 0x83: 'DUP4', 0x84: 'DUP5', 0x85: 'DUP6', 0x86: 'DUP7', 0x87: 'DUP8', 0x88: 'DUP9', 0x89: 'DUP10', 0x8a: 'DUP11', 0x8b: 'DUP12', 0x8c: 'DUP13', 0x8d: 'DUP14', 0x8e: 'DUP15', 0x8f: 'DUP16',
[codex:535965]     0x90: 'SWAP1', 0x91: 'SWAP2', 0x92: 'SWAP3', 0x93: 'SWAP4', 0x94: 'SWAP5', 0x95: 'SWAP6', 0x96: 'SWAP7', 0x97: 'SWAP8', 0x98: 'SWAP9', 0x99: 'SWAP10', 0x9a: 'SWAP11', 0x9b: 'SWAP12', 0x9c: 'SWAP13', 0x9d: 'SWAP14', 0x9e: 'SWAP15', 0x9f: 'SWAP16',
[codex:535965]     0xa0: 'LOG0', 0xa1: 'LOG1', 0xa2: 'LOG2', 0xa3: 'LOG3', 0xa4: 'LOG4',
[codex:535965]     0xf0: 'CREATE', 0xf1: 'CALL', 0xf2: 'CALLCODE', 0xf3: 'RETURN', 0xf4: 'DELEGATECALL', 0xf5: 'CREATE2', 0xfa: 'STATICCALL', 0xfd: 'REVERT', 0xfe: 'INVALID', 0xff: 'SELFDESTRUCT',
[codex:535965] }
[codex:535965] 
[codex:535965] code = bytes.fromhex(hexstr)
[codex:535965] 
[codex:535965] # disassemble with offsets
[codex:535965] ops = []
[codex:535965] i = 0
[codex:535965] while i < len(code):
[codex:535965]     op = code[i]
[codex:535965]     name = opcodes.get(op, f'OP{op:02x}')
[codex:535965]     if 0x60 <= op <= 0x7f:
[codex:535965]         n = op - 0x5f
[codex:535965]         data = code[i+1:i+1+n]
[codex:535965]         ops.append((i, name, data.hex()))
[codex:535965]         i += 1 + n
[codex:535965]     else:
[codex:535965]         ops.append((i, name, ''))
[codex:535965]         i += 1
[codex:535965] 
[codex:535965] # print a window around function 0x0321 maybe
[codex:535965] for off,name,data in ops:
[codex:535965]     if off >= 0x0300 and off < 0x0365:
[codex:535965]         print(f\"{off:04x}: {name} {data}\")
[codex:535965] PY" in /tmp/codex-multi-ucreydj3 succeeded in 29ms:
[codex:535965] 0300: PUSH1 01
[codex:535965] 0302: DUP1 
[codex:535965] 0303: SLOAD 
[codex:535965] 0304: PUSH1 01
[codex:535965] 0306: PUSH1 01
[codex:535965] 0308: PUSH1 a0
[codex:535965] 030a: SHL 
[codex:535965] 030b: SUB 
[codex:535965] 030c: NOT 
[codex:535965] 030d: AND 
[codex:535965] 030e: PUSH1 01
[codex:535965] 0310: PUSH1 01
[codex:535965] 0312: PUSH1 a0
[codex:535965] 0314: SHL 
[codex:535965] 0315: SUB 
[codex:535965] 0316: SWAP3 
[codex:535965] 0317: SWAP1 
[codex:535965] 0318: SWAP3 
[codex:535965] 0319: AND 
[codex:535965] 031a: SWAP2 
[codex:535965] 
[codex:535965] thinking
[codex:535965] **Analyzing EVM call argument construction**
[codex:535965] exec
[codex:535965] /bin/bash -lc "python - <<'PY'
[codex:535965] from collections import deque
[codex:535965] 
[codex:535965] # op sequence for 0x0321-0x0344 from disassembly above
[codex:535965] ops = [
[codex:535965] ('PUSH1','01'),('SLOAD',None),('PUSH1','40'),('MLOAD',None),('PUSH1','01'),('PUSH1','01'),('PUSH1','a0'),('SHL',None),('SUB',None),('SWAP1',None),('SWAP2',None),('AND',None),('SWAP1',None),('SELFBALANCE',None),('DUP1',None),('ISZERO',None),('PUSH2','08fc'),('MUL',None),('SWAP2',None),('PUSH1','00'),('DUP2',None),('DUP2',None),('DUP2',None),('DUP6',None),('DUP9',None),('DUP9',None),('CALL',None)
[codex:535965] ]
[codex:535965] 
[codex:535965] stack = []
[codex:535965] 
[codex:535965] val_counter = 0
[codex:535965] 
[codex:535965] def push(val):
[codex:535965]     stack.append(val)
[codex:535965] 
[codex:535965] def pop():
[codex:535965]     return stack.pop()
[codex:535965] 
[codex:535965] # We'll label computed values as expr strings
[codex:535965] for op,data in ops:
[codex:535965]     if op.startswith('PUSH'):
[codex:535965]         push(f\"0x{data}\")
[codex:535965]     elif op == 'SLOAD':
[codex:535965]         slot = pop(); push(f\"sload({slot})\")
[codex:535965]     elif op == 'MLOAD':
[codex:535965]         off=pop(); push(f\"mload({off})\")
[codex:535965]     elif op == 'SHL':
[codex:535965]         shift=pop(); val=pop(); push(f\"({val}<<{shift})\")
[codex:535965]     elif op == 'SUB':
[codex:535965]         b=pop(); a=pop(); push(f\"({a}-{b})\")
[codex:535965]     elif op == 'AND':
[codex:535965]         b=pop(); a=pop(); push(f\"({a}&{b})\")
[codex:535965]     elif op == 'SELFBALANCE':
[codex:535965]         push('selfbalance')
[codex:535965]     elif op == 'DUP1':
[codex:535965]         push(stack[-1])
[codex:535965]     elif op == 'DUP2':
[codex:535965]         push(stack[-2])
[codex:535965]     elif op == 'DUP6':
[codex:535965]         push(stack[-6])
[codex:535965]     elif op == 'DUP9':
[codex:535965]         push(stack[-9])
[codex:535965]     elif op.startswith('SWAP'):
[codex:535965]         n = int(op[4:])
[codex:535965]         stack[-1], stack[-1-n] = stack[-1-n], stack[-1]
[codex:535965]     elif op == 'ISZERO':
[codex:535965]         a=pop(); push(f\"iszero({a})\")
[codex:535965]     elif op == 'MUL':
[codex:535965]         b=pop(); a=pop(); push(f\"({a}*{b})\")
[codex:535965]     elif op == 'CALL':
[codex:535965]         # At CALL, print stack
[codex:535965]         print('Stack before CALL (top last):')
[codex:535965]         for i,v in enumerate(stack):
[codex:535965]             print(i, v)
[codex:535965]         break
[codex:535965] 
[codex:535965] PY" in /tmp/codex-multi-ucreydj3 succeeded in 19ms:
[codex:535965] Stack before CALL (top last):
[codex:535965] 0 ((0x01-(0x01<<0xa0))&sload(0x01))
[codex:535965] 1 (iszero(selfbalance)*0x08fc)
[codex:535965] 2 selfbalance
[codex:535965] 3 mload(0x40)
[codex:535965] 4 0x00
[codex:535965] 5 mload(0x40)
[codex:535965] 6 0x00
[codex:535965] 7 mload(0x40)
[codex:535965] 8 selfbalance
[codex:535965] 9 ((0x01-(0x01<<0xa0))&sload(0x01))
[codex:535965] 10 (iszero(selfbalance)*0x08fc)
[codex:535965] 
[codex:535965] thinking
[codex:535965] **Analyzing EVM CALL behavior and access control**
[codex:535965] exec
[codex:535965] /bin/bash -lc "python - <<'PY'
[codex:535965] from binascii import unhexlify
[codex:535965] hexstr='''60806040526004361061004a5760003560e01c80630a0a05e6146101d05780636b9f96ea14610203578063715018a6146102185780638da5cb5b1461022d578063f2fde38b1461025e575b341561009057604080513481529051600091829133917f700447ec4170a8ebc6b67182ac966faf6dff7d46dc24a1a4a7f0a98e84db9cec919081900360200190a46101ce565b610098610291565b6001600160a01b0316336001600160a01b031614156101ce577368ef21a0168bcf753871e9fc26c86dd482cdd03560008082634a91da906100dc6020843681610505565b60208110156100ea57600080fd5b50604080516001600160e01b031960e085901b16815291356004830152516024808301926020929190829003018186803b15801561012757600080fd5b505afa15801561013b573d6000803e3d6000fd5b505050506040513d602081101561015157600080fd5b50516040519091506001600160a01b0382169060009036908083838082843760405192019450600093509091505080830381855af49150503d80600081146101b5576040519150601f19603f3d011682016040523d82523d6000602084013e6101ba565b606091505b505080925050816101ca57600080fd5b5050505b005b3480156101dc57600080fd5b506101ce600480360360208110156101f357600080fd5b50356001600160a01b03166102a0565b34801561020f57600080fd5b506101ce610321565b34801561022457600080fd5b506101ce61035d565b34801561023957600080fd5b50610242610291565b604080516001600160a01b039092168252519081900360200190f35b34801561026a57600080fd5b506101ce6004803603602081101561028157600080fd5b50356001600160a01b0316610406565b6000546001600160a01b031690565b6000546001600160a01b031633146102ff576040805162461bcd60e51b815260206004820181905260248201527f4f776e61626c653a2063616c6c6572206973206e6f7420746865206f776e6572604482015290519081900360640190fd5b600180546001600160a01b0319166001600160a01b0392909216919091179055565b6001546040516001600160a01b03909116904780156108fc02916000818181858888f1935050505015801561035a573d6000803e3d6000fd5b50565b6000546001600160a01b031633146103bc576040805162461bcd60e51b815260206004820181905260248201527f4f776e61626c653a2063616c6c6572206973206e6f7420746865206f776e6572604482015290519081900360640190fd5b600080546040516001600160a01b03909116907f8be0079c531659141344cd1fd0a4f28419497f9722a3daafe3b4186f6b6457e0908390a3600080546001600160a01b0319169055565b6000546001600160a01b03163314610465576040805162461bcd60e51b815260206004820181905260248201527f4f776e61626c653a2063616c6c6572206973206e6f7420746865206f776e6572604482015290519081900360640190fd5b6001600160a01b0381166104aa5760405162461bcd60e51b815260040180806020018281038252602681526020018061052e6026913960400191505060405180910390fd5b600080546040516001600160a01b03808516939216917f8be0079c531659141344cd1fd0a4f28419497f9722a3daafe3b4186f6b6457e091a3600080546001600160a01b0319166001600160a01b0392909216919091179055565b60008085851115610514578182fd5b83861115610520578182fd5b505082019391909203915056fe4f776e61626c653a206e6577206f776e657220697320746865207a65726f2061646472657373a2646970667358221220fad1e906c98982cbc98b1fd610864eeabe3e860aff044a5b3a54d5dd624923dc64736f6c634300060c0033'''.strip()
[codex:535965] 
[codex:535965] # disassemble around 0x02a0
[codex:535965] opcodes = {**{i: f'PUSH{i-0x5f}' for i in range(0x60,0x80)}, **{i: f'DUP{i-0x7f}' for i in range(0x80,0x90)}, **{i: f'SWAP{i-0x8f}' for i in range(0x90,0xa0)}}
[codex:535965] # add some op names
[codex:535965] opcodes.update({0x00:'STOP',0x01:'ADD',0x02:'MUL',0x03:'SUB',0x04:'DIV',0x10:'LT',0x11:'GT',0x14:'EQ',0x15:'ISZERO',0x16:'AND',0x17:'OR',0x19:'NOT',0x1b:'SHL',0x20:'SHA3',0x30:'ADDRESS',0x31:'BALANCE',0x33:'CALLER',0x34:'CALLVALUE',0x35:'CALLDATALOAD',0x36:'CALLDATASIZE',0x39:'CODECOPY',0x3b:'EXTCODESIZE',0x3d:'RETURNDATASIZE',0x3e:'RETURNDATACOPY',0x3f:'EXTCODEHASH',0x40:'BLOCKHASH',0x41:'COINBASE',0x42:'TIMESTAMP',0x43:'NUMBER',0x47:'SELFBALANCE',0x50:'POP',0x51:'MLOAD',0x52:'MSTORE',0x54:'SLOAD',0x55:'SSTORE',0x56:'JUMP',0x57:'JUMPI',0x5b:'JUMPDEST',0x60:'PUSH1',0x61:'PUSH2',0x63:'PUSH4',0x7f:'PUSH32',0xa0:'LOG0',0xa1:'LOG1',0xa2:'LOG2',0xa3:'LOG3',0xa4:'LOG4',0xf1:'CALL',0xf3:'RETURN',0xf4:'DELEGATECALL',0xfa:'STATICCALL',0xfd:'REVERT',0xfe:'INVALID',0xff:'SELFDESTRUCT'})
[codex:535965] 
[codex:535965] code = bytes.fromhex(hexstr)
[codex:535965] 
[codex:535965] ops = []
[codex:535965] i=0
[codex:535965] while i<len(code):
[codex:535965]     op=code[i]
[codex:535965]     name = opcodes.get(op, f'OP{op:02x}')
[codex:535965]     if 0x60 <= op <= 0x7f:
[codex:535965]         n=op-0x5f
[codex:535965]         data=code[i+1:i+1+n]
[codex:535965]         ops.append((i,name,data.hex()))
[codex:535965]         i+=1+n
[codex:535965]     else:
[codex:535965]         ops.append((i,name,''))
[codex:535965]         i+=1
[codex:535965] 
[codex:535965] for off,name,data in ops:
[codex:535965]     if 0x0280 <= off < 0x0321:
[codex:535965]         print(f\"{off:04x}: {name} {data}\")
[codex:535965] PY" in /tmp/codex-multi-ucreydj3 succeeded in 19ms:
[codex:535965] 0280: REVERT 
[codex:535965] 0281: JUMPDEST 
[codex:535965] 0282: POP 
[codex:535965] 0283: CALLDATALOAD 
[codex:535965] 0284: PUSH1 01
[codex:535965] 0286: PUSH1 01
[codex:535965] 0288: PUSH1 a0
[codex:535965] 028a: SHL 
[codex:535965] 028b: SUB 
[codex:535965] 028c: AND 
[codex:535965] 028d: PUSH2 0406
[codex:535965] 0290: JUMP 
[codex:535965] 0291: JUMPDEST 
[codex:535965] 0292: PUSH1 00
[codex:535965] 0294: SLOAD 
[codex:535965] 0295: PUSH1 01
[codex:535965] 0297: PUSH1 01
[codex:535965] 0299: PUSH1 a0
[codex:535965] 029b: SHL 
[codex:535965] 029c: SUB 
[codex:535965] 
[codex:535965] thinking
[codex:535965] **Analyzing contract function dispatch and storage patterns**
[codex:535965] exec
[codex:535965] /bin/bash -lc "python - <<'PY'
[codex:535965] from binascii import unhexlify
[codex:535965] hexstr='''60806040526004361061004a5760003560e01c80630a0a05e6146101d05780636b9f96ea14610203578063715018a6146102185780638da5cb5b1461022d578063f2fde38b1461025e575b341561009057604080513481529051600091829133917f700447ec4170a8ebc6b67182ac966faf6dff7d46dc24a1a4a7f0a98e84db9cec919081900360200190a46101ce565b610098610291565b6001600160a01b0316336001600160a01b031614156101ce577368ef21a0168bcf753871e9fc26c86dd482cdd03560008082634a91da906100dc6020843681610505565b60208110156100ea57600080fd5b50604080516001600160e01b031960e085901b16815291356004830152516024808301926020929190829003018186803b15801561012757600080fd5b505afa15801561013b573d6000803e3d6000fd5b505050506040513d602081101561015157600080fd5b50516040519091506001600160a01b0382169060009036908083838082843760405192019450600093509091505080830381855af49150503d80600081146101b5576040519150601f19603f3d011682016040523d82523d6000602084013e6101ba565b606091505b505080925050816101ca57600080fd5b5050505b005b3480156101dc57600080fd5b506101ce600480360360208110156101f357600080fd5b50356001600160a01b03166102a0565b34801561020f57600080fd5b506101ce610321565b34801561022457600080fd5b506101ce61035d565b34801561023957600080fd5b50610242610291565b604080516001600160a01b039092168252519081900360200190f35b34801561026a57600080fd5b506101ce6004803603602081101561028157600080fd5b50356001600160a01b0316610406565b6000546001600160a01b031690565b6000546001600160a01b031633146102ff576040805162461bcd60e51b815260206004820181905260248201527f4f776e61626c653a2063616c6c6572206973206e6f7420746865206f776e6572604482015290519081900360640190fd5b600180546001600160a01b0319166001600160a01b0392909216919091179055565b6001546040516001600160a01b03909116904780156108fc02916000818181858888f1935050505015801561035a573d6000803e3d6000fd5b50565b6000546001600160a01b031633146103bc576040805162461bcd60e51b815260206004820181905260248201527f4f776e61626c653a2063616c6c6572206973206e6f7420746865206f776e6572604482015290519081900360640190fd5b600080546040516001600160a01b03909116907f8be0079c531659141344cd1fd0a4f28419497f9722a3daafe3b4186f6b6457e0908390a3600080546001600160a01b0319169055565b6000546001600160a01b03163314610465576040805162461bcd60e51b815260206004820181905260248201527f4f776e61626c653a2063616c6c6572206973206e6f7420746865206f776e6572604482015290519081900360640190fd5b6001600160a01b0381166104aa5760405162461bcd60e51b815260040180806020018281038252602681526020018061052e6026913960400191505060405180910390fd5b600080546040516001600160a01b03808516939216917f8be0079c531659141344cd1fd0a4f28419497f9722a3daafe3b4186f6b6457e091a3600080546001600160a01b0319166001600160a01b0392909216919091179055565b60008085851115610514578182fd5b83861115610520578182fd5b505082019391909203915056fe4f776e61626c653a206e6577206f776e657220697320746865207a65726f2061646472657373a2646970667358221220fad1e906c98982cbc98b1fd610864eeabe3e860aff044a5b3a54d5dd624923dc64736f6c634300060c0033'''.strip()
[codex:535965] 
[codex:535965] opcodes = {**{i: f'PUSH{i-0x5f}' for i in range(0x60,0x80)}, **{i: f'DUP{i-0x7f}' for i in range(0x80,0x90)}, **{i: f'SWAP{i-0x8f}' for i in range(0x90,0xa0)}}
[codex:535965] opcodes.update({0x00:'STOP',0x01:'ADD',0x02:'MUL',0x03:'SUB',0x04:'DIV',0x10:'LT',0x11:'GT',0x14:'EQ',0x15:'ISZERO',0x16:'AND',0x17:'OR',0x19:'NOT',0x1b:'SHL',0x20:'SHA3',0x30:'ADDRESS',0x31:'BALANCE',0x33:'CALLER',0x34:'CALLVALUE',0x35:'CALLDATALOAD',0x36:'CALLDATASIZE',0x37:'CALLDATACOPY',0x39:'CODECOPY',0x3b:'EXTCODESIZE',0x3d:'RETURNDATASIZE',0x3e:'RETURNDATACOPY',0x3f:'EXTCODEHASH',0x40:'BLOCKHASH',0x41:'COINBASE',0x42:'TIMESTAMP',0x43:'NUMBER',0x47:'SELFBALANCE',0x50:'POP',0x51:'MLOAD',0x52:'MSTORE',0x53:'MSTORE8',0x54:'SLOAD',0x55:'SSTORE',0x56:'JUMP',0x57:'JUMPI',0x5b:'JUMPDEST',0x5a:'GAS',0x5f:'PUSH0',0x60:'PUSH1',0x61:'PUSH2',0x63:'PUSH4',0x7f:'PUSH32',0xa0:'LOG0',0xa1:'LOG1',0xa2:'LOG2',0xa3:'LOG3',0xa4:'LOG4',0xf1:'CALL',0xf2:'CALLCODE',0xf3:'RETURN',0xf4:'DELEGATECALL',0xf5:'CREATE2',0xfa:'STATICCALL',0xfd:'REVERT',0xfe:'INVALID',0xff:'SELFDESTRUCT'})
[codex:535965] 
[codex:535965] code = bytes.fromhex(hexstr)
[codex:535965] 
[codex:535965] i=0
[codex:535965] ops=[]
[codex:535965] while i<len(code):
[codex:535965]     op=code[i]
[codex:535965]     name=opcodes.get(op,f'OP{op:02x}')
[codex:535965]     if 0x60<=op<=0x7f:
[codex:535965]         n=op-0x5f
[codex:535965]         data=code[i+1:i+1+n]
[codex:535965]         ops.append((i,name,data.hex()))
[codex:535965]         i+=1+n
[codex:535965]     else:
[codex:535965]         ops.append((i,name,''))
[codex:535965]         i+=1
[codex:535965] 
[codex:535965] for off,name,data in ops:
[codex:535965]     if 0x0080 <= off < 0x01d0:
[codex:535965]         print(f\"{off:04x}: {name} {data}\")
[codex:535965] PY" in /tmp/codex-multi-ucreydj3 succeeded in 21ms:
[codex:535965] 0082: SWAP2 
[codex:535965] 0083: SWAP1 
[codex:535965] 0084: DUP2 
[codex:535965] 0085: SWAP1 
[codex:535965] 0086: SUB 
[codex:535965] 0087: PUSH1 20
[codex:535965] 0089: ADD 
[codex:535965] 008a: SWAP1 
[codex:535965] 008b: LOG4 
[codex:535965] 008c: PUSH2 01ce
[codex:535965] 008f: JUMP 
[codex:535965] 0090: JUMPDEST 
[codex:535965] 0091: PUSH2 0098
[codex:535965] 0094: PUSH2 0291
[codex:535965] 0097: JUMP 
[codex:535965] 0098: JUMPDEST 
[codex:535965] 0099: PUSH1 01
[codex:535965] 009b: PUSH1 01
[codex:535965] 009d: PUSH1 a0
[codex:535965] 009f: SHL 
[codex:535965] 
[codex:535965] 
[codex:535965] thinking
[codex:535965] **Analyzing fallback and ownership checks**
[codex:535965] thinking
[codex:535965] **Preparing final JSON report with analysis**
[codex:535965] 
[codex:535965] I'll summarize that no concrete exploit was identified in the bytecode after a thorough review, then output the required JSON per the schema the user expects.
[codex:535965] codex
[codex:535965] {"no_findings":true,"summary":"No concrete, exploitable path to extract value identified in the provided runtime bytecode.","findings":[]}
[codex:535965] tokens used
[codex:535965] 40,128
[codex:535965] {"no_findings":true,"summary":"No concrete, exploitable path to extract value identified in the provided runtime bytecode.","findings":[]}
Metadata 
{
    "codex": {
        "ran_at": "2026-01-01T21:09:26.736669+00:00",
        "returncode": 0
    },
    "summary": "No concrete, exploitable path to extract value identified in the provided runtime bytecode.",
    "raw_final": {
        "summary": "No concrete, exploitable path to extract value identified in the provided runtime bytecode.",
        "findings": [],
        "no_findings": true
    },
    "no_findings": true,
    "schema_version": 1
}

Opcode Heuristics

tool.cast_disasm
Delegatecall
1
Selfdestruct
1
CREATE2
0
CALL-family (heavy)
2
EXT*/BALANCE
1
Total opcodes
862
Flags
delegatecall_present selfdestruct_present
View cast disassembly output 
00000000: PUSH1 0x80
00000002: PUSH1 0x40
00000004: MSTORE
00000005: PUSH1 0x04
00000007: CALLDATASIZE
00000008: LT
00000009: PUSH2 0x004a
0000000c: JUMPI
0000000d: PUSH1 0x00
0000000f: CALLDATALOAD
00000010: PUSH1 0xe0
00000012: SHR
00000013: DUP1
00000014: PUSH4 0x0a0a05e6
00000019: EQ
0000001a: PUSH2 0x01d0
0000001d: JUMPI
0000001e: DUP1
0000001f: PUSH4 0x6b9f96ea
00000024: EQ
00000025: PUSH2 0x0203
00000028: JUMPI
00000029: DUP1
0000002a: PUSH4 0x715018a6
0000002f: EQ
00000030: PUSH2 0x0218
00000033: JUMPI
00000034: DUP1
00000035: PUSH4 0x8da5cb5b
0000003a: EQ
0000003b: PUSH2 0x022d
0000003e: JUMPI
0000003f: DUP1
00000040: PUSH4 0xf2fde38b
00000045: EQ
00000046: PUSH2 0x025e
00000049: JUMPI
0000004a: JUMPDEST
0000004b: CALLVALUE
0000004c: ISZERO
0000004d: PUSH2 0x0090
00000050: JUMPI
00000051: PUSH1 0x40
00000053: DUP1
00000054: MLOAD
00000055: CALLVALUE
00000056: DUP2
00000057: MSTORE
00000058: SWAP1
00000059: MLOAD
0000005a: PUSH1 0x00
0000005c: SWAP2
0000005d: DUP3
0000005e: SWAP2
0000005f: CALLER
00000060: SWAP2
00000061: PUSH32 0x700447ec4170a8ebc6b67182ac966faf6dff7d46dc24a1a4a7f0a98e84db9cec
00000082: SWAP2
00000083: SWAP1
00000084: DUP2
00000085: SWAP1
00000086: SUB
00000087: PUSH1 0x20
00000089: ADD
0000008a: SWAP1
0000008b: LOG4
0000008c: PUSH2 0x01ce
0000008f: JUMP
00000090: JUMPDEST
00000091: PUSH2 0x0098
00000094: PUSH2 0x0291
00000097: JUMP
00000098: JUMPDEST
00000099: PUSH1 0x01
0000009b: PUSH1 0x01
0000009d: PUSH1 0xa0
0000009f: SHL
000000a0: SUB
000000a1: AND
000000a2: CALLER
000000a3: PUSH1 0x01
000000a5: PUSH1 0x01
000000a7: PUSH1 0xa0
000000a9: SHL
000000aa: SUB
000000ab: AND
000000ac: EQ
000000ad: ISZERO
000000ae: PUSH2 0x01ce
000000b1: JUMPI
000000b2: PUSH20 0x68ef21a0168bcf753871e9fc26c86dd482cdd035
000000c7: PUSH1 0x00
000000c9: DUP1
000000ca: DUP3
000000cb: PUSH4 0x4a91da90
000000d0: PUSH2 0x00dc
000000d3: PUSH1 0x20
000000d5: DUP5
000000d6: CALLDATASIZE
000000d7: DUP2
000000d8: PUSH2 0x0505
000000db: JUMP
000000dc: JUMPDEST
000000dd: PUSH1 0x20
000000df: DUP2
000000e0: LT
000000e1: ISZERO
000000e2: PUSH2 0x00ea
000000e5: JUMPI
000000e6: PUSH1 0x00
000000e8: DUP1
000000e9: REVERT
000000ea: JUMPDEST
000000eb: POP
000000ec: PUSH1 0x40
000000ee: DUP1
000000ef: MLOAD
000000f0: PUSH1 0x01
000000f2: PUSH1 0x01
000000f4: PUSH1 0xe0
000000f6: SHL
000000f7: SUB
000000f8: NOT
000000f9: PUSH1 0xe0
000000fb: DUP6
000000fc: SWAP1
000000fd: SHL
000000fe: AND
000000ff: DUP2
00000100: MSTORE
00000101: SWAP2
00000102: CALLDATALOAD
00000103: PUSH1 0x04
00000105: DUP4
00000106: ADD
00000107: MSTORE
00000108: MLOAD
00000109: PUSH1 0x24
0000010b: DUP1
0000010c: DUP4
0000010d: ADD
0000010e: SWAP3
0000010f: PUSH1 0x20
00000111: SWAP3
00000112: SWAP2
00000113: SWAP1
00000114: DUP3
00000115: SWAP1
00000116: SUB
00000117: ADD
00000118: DUP2
00000119: DUP7
0000011a: DUP1
0000011b: EXTCODESIZE
0000011c: ISZERO
0000011d: DUP1
0000011e: ISZERO
0000011f: PUSH2 0x0127
00000122: JUMPI
00000123: PUSH1 0x00
00000125: DUP1
00000126: REVERT
00000127: JUMPDEST
00000128: POP
00000129: GAS
0000012a: STATICCALL
0000012b: ISZERO
0000012c: DUP1
0000012d: ISZERO
0000012e: PUSH2 0x013b
00000131: JUMPI
00000132: RETURNDATASIZE
00000133: PUSH1 0x00
00000135: DUP1
00000136: RETURNDATACOPY
00000137: RETURNDATASIZE
00000138: PUSH1 0x00
0000013a: REVERT
0000013b: JUMPDEST
0000013c: POP
0000013d: POP
0000013e: POP
0000013f: POP
00000140: PUSH1 0x40
00000142: MLOAD
00000143: RETURNDATASIZE
00000144: PUSH1 0x20
00000146: DUP2
00000147: LT
00000148: ISZERO
00000149: PUSH2 0x0151
0000014c: JUMPI
0000014d: PUSH1 0x00
0000014f: DUP1
00000150: REVERT
00000151: JUMPDEST
00000152: POP
00000153: MLOAD
00000154: PUSH1 0x40
00000156: MLOAD
00000157: SWAP1
00000158: SWAP2
00000159: POP
0000015a: PUSH1 0x01
0000015c: PUSH1 0x01
0000015e: PUSH1 0xa0
00000160: SHL
00000161: SUB
00000162: DUP3
00000163: AND
00000164: SWAP1
00000165: PUSH1 0x00
00000167: SWAP1
00000168: CALLDATASIZE
00000169: SWAP1
0000016a: DUP1
0000016b: DUP4
0000016c: DUP4
0000016d: DUP1
0000016e: DUP3
0000016f: DUP5
00000170: CALLDATACOPY
00000171: PUSH1 0x40
00000173: MLOAD
00000174: SWAP3
00000175: ADD
00000176: SWAP5
00000177: POP
00000178: PUSH1 0x00
0000017a: SWAP4
0000017b: POP
0000017c: SWAP1
0000017d: SWAP2
0000017e: POP
0000017f: POP
00000180: DUP1
00000181: DUP4
00000182: SUB
00000183: DUP2
00000184: DUP6
00000185: GAS
00000186: DELEGATECALL
00000187: SWAP2
00000188: POP
00000189: POP
0000018a: RETURNDATASIZE
0000018b: DUP1
0000018c: PUSH1 0x00
0000018e: DUP2
0000018f: EQ
00000190: PUSH2 0x01b5
00000193: JUMPI
00000194: PUSH1 0x40
00000196: MLOAD
00000197: SWAP2
00000198: POP
00000199: PUSH1 0x1f
0000019b: NOT
0000019c: PUSH1 0x3f
0000019e: RETURNDATASIZE
0000019f: ADD
000001a0: AND
000001a1: DUP3
000001a2: ADD
000001a3: PUSH1 0x40
000001a5: MSTORE
000001a6: RETURNDATASIZE
000001a7: DUP3
000001a8: MSTORE
000001a9: RETURNDATASIZE
000001aa: PUSH1 0x00
000001ac: PUSH1 0x20
000001ae: DUP5
000001af: ADD
000001b0: RETURNDATACOPY
000001b1: PUSH2 0x01ba
000001b4: JUMP
000001b5: JUMPDEST
000001b6: PUSH1 0x60
000001b8: SWAP2
000001b9: POP
000001ba: JUMPDEST
000001bb: POP
000001bc: POP
000001bd: DUP1
000001be: SWAP3
000001bf: POP
000001c0: POP
000001c1: DUP2
000001c2: PUSH2 0x01ca
000001c5: JUMPI
000001c6: PUSH1 0x00
000001c8: DUP1
000001c9: REVERT
000001ca: JUMPDEST
000001cb: POP
000001cc: POP
000001cd: POP
000001ce: JUMPDEST
000001cf: STOP
000001d0: JUMPDEST
000001d1: CALLVALUE
000001d2: DUP1
000001d3: ISZERO
000001d4: PUSH2 0x01dc
000001d7: JUMPI
000001d8: PUSH1 0x00
000001da: DUP1
000001db: REVERT
000001dc: JUMPDEST
000001dd: POP
000001de: PUSH2 0x01ce
000001e1: PUSH1 0x04
000001e3: DUP1
000001e4: CALLDATASIZE
000001e5: SUB
000001e6: PUSH1 0x20
000001e8: DUP2
000001e9: LT
000001ea: ISZERO
000001eb: PUSH2 0x01f3
000001ee: JUMPI
000001ef: PUSH1 0x00
000001f1: DUP1
000001f2: REVERT
000001f3: JUMPDEST
000001f4: POP
000001f5: CALLDATALOAD
000001f6: PUSH1 0x01
000001f8: PUSH1 0x01
000001fa: PUSH1 0xa0
000001fc: SHL
000001fd: SUB
000001fe: AND
000001ff: PUSH2 0x02a0
00000202: JUMP
00000203: JUMPDEST
00000204: CALLVALUE
00000205: DUP1
00000206: ISZERO
00000207: PUSH2 0x020f
0000020a: JUMPI
0000020b: PUSH1 0x00
0000020d: DUP1
0000020e: REVERT
0000020f: JUMPDEST
00000210: POP
00000211: PUSH2 0x01ce
00000214: PUSH2 0x0321
00000217: JUMP
00000218: JUMPDEST
00000219: CALLVALUE
0000021a: DUP1
0000021b: ISZERO
0000021c: PUSH2 0x0224
0000021f: JUMPI
00000220: PUSH1 0x00
00000222: DUP1
00000223: REVERT
00000224: JUMPDEST
00000225: POP
00000226: PUSH2 0x01ce
00000229: PUSH2 0x035d
0000022c: JUMP
0000022d: JUMPDEST
0000022e: CALLVALUE
0000022f: DUP1
00000230: ISZERO
00000231: PUSH2 0x0239
00000234: JUMPI
00000235: PUSH1 0x00
00000237: DUP1
00000238: REVERT
00000239: JUMPDEST
0000023a: POP
0000023b: PUSH2 0x0242
0000023e: PUSH2 0x0291
00000241: JUMP
00000242: JUMPDEST
00000243: PUSH1 0x40
00000245: DUP1
00000246: MLOAD
00000247: PUSH1 0x01
00000249: PUSH1 0x01
0000024b: PUSH1 0xa0
0000024d: SHL
0000024e: SUB
0000024f: SWAP1
00000250: SWAP3
00000251: AND
00000252: DUP3
00000253: MSTORE
00000254: MLOAD
00000255: SWAP1
00000256: DUP2
00000257: SWAP1
00000258: SUB
00000259: PUSH1 0x20
0000025b: ADD
0000025c: SWAP1
0000025d: RETURN
0000025e: JUMPDEST
0000025f: CALLVALUE
00000260: DUP1
00000261: ISZERO
00000262: PUSH2 0x026a
00000265: JUMPI
00000266: PUSH1 0x00
00000268: DUP1
00000269: REVERT
0000026a: JUMPDEST
0000026b: POP
0000026c: PUSH2 0x01ce
0000026f: PUSH1 0x04
00000271: DUP1
00000272: CALLDATASIZE
00000273: SUB
00000274: PUSH1 0x20
00000276: DUP2
00000277: LT
00000278: ISZERO
00000279: PUSH2 0x0281
0000027c: JUMPI
0000027d: PUSH1 0x00
0000027f: DUP1
00000280: REVERT
00000281: JUMPDEST
00000282: POP
00000283: CALLDATALOAD
00000284: PUSH1 0x01
00000286: PUSH1 0x01
00000288: PUSH1 0xa0
0000028a: SHL
0000028b: SUB
0000028c: AND
0000028d: PUSH2 0x0406
00000290: JUMP
00000291: JUMPDEST
00000292: PUSH1 0x00
00000294: SLOAD
00000295: PUSH1 0x01
00000297: PUSH1 0x01
00000299: PUSH1 0xa0
0000029b: SHL
0000029c: SUB
0000029d: AND
0000029e: SWAP1
0000029f: JUMP
000002a0: JUMPDEST
000002a1: PUSH1 0x00
000002a3: SLOAD
000002a4: PUSH1 0x01
000002a6: PUSH1 0x01
000002a8: PUSH1 0xa0
000002aa: SHL
000002ab: SUB
000002ac: AND
000002ad: CALLER
000002ae: EQ
000002af: PUSH2 0x02ff
000002b2: JUMPI
000002b3: PUSH1 0x40
000002b5: DUP1
000002b6: MLOAD
000002b7: PUSH3 0x461bcd
000002bb: PUSH1 0xe5
000002bd: SHL
000002be: DUP2
000002bf: MSTORE
000002c0: PUSH1 0x20
000002c2: PUSH1 0x04
000002c4: DUP3
000002c5: ADD
000002c6: DUP2
000002c7: SWAP1
000002c8: MSTORE
000002c9: PUSH1 0x24
000002cb: DUP3
000002cc: ADD
000002cd: MSTORE
000002ce: PUSH32 0x4f776e61626c653a2063616c6c6572206973206e6f7420746865206f776e6572
000002ef: PUSH1 0x44
000002f1: DUP3
000002f2: ADD
000002f3: MSTORE
000002f4: SWAP1
000002f5: MLOAD
000002f6: SWAP1
000002f7: DUP2
000002f8: SWAP1
000002f9: SUB
000002fa: PUSH1 0x64
000002fc: ADD
000002fd: SWAP1
000002fe: REVERT
000002ff: JUMPDEST
00000300: PUSH1 0x01
00000302: DUP1
00000303: SLOAD
00000304: PUSH1 0x01
00000306: PUSH1 0x01
00000308: PUSH1 0xa0
0000030a: SHL
0000030b: SUB
0000030c: NOT
0000030d: AND
0000030e: PUSH1 0x01
00000310: PUSH1 0x01
00000312: PUSH1 0xa0
00000314: SHL
00000315: SUB
00000316: SWAP3
00000317: SWAP1
00000318: SWAP3
00000319: AND
0000031a: SWAP2
0000031b: SWAP1
0000031c: SWAP2
0000031d: OR
0000031e: SWAP1
0000031f: SSTORE
00000320: JUMP
00000321: JUMPDEST
00000322: PUSH1 0x01
00000324: SLOAD
00000325: PUSH1 0x40
00000327: MLOAD
00000328: PUSH1 0x01
0000032a: PUSH1 0x01
0000032c: PUSH1 0xa0
0000032e: SHL
0000032f: SUB
00000330: SWAP1
00000331: SWAP2
00000332: AND
00000333: SWAP1
00000334: SELFBALANCE
00000335: DUP1
00000336: ISZERO
00000337: PUSH2 0x08fc
0000033a: MUL
0000033b: SWAP2
0000033c: PUSH1 0x00
0000033e: DUP2
0000033f: DUP2
00000340: DUP2
00000341: DUP6
00000342: DUP9
00000343: DUP9
00000344: CALL
00000345: SWAP4
00000346: POP
00000347: POP
00000348: POP
00000349: POP
0000034a: ISZERO
0000034b: DUP1
0000034c: ISZERO
0000034d: PUSH2 0x035a
00000350: JUMPI
00000351: RETURNDATASIZE
00000352: PUSH1 0x00
00000354: DUP1
00000355: RETURNDATACOPY
00000356: RETURNDATASIZE
00000357: PUSH1 0x00
00000359: REVERT
0000035a: JUMPDEST
0000035b: POP
0000035c: JUMP
0000035d: JUMPDEST
0000035e: PUSH1 0x00
00000360: SLOAD
00000361: PUSH1 0x01
00000363: PUSH1 0x01
00000365: PUSH1 0xa0
00000367: SHL
00000368: SUB
00000369: AND
0000036a: CALLER
0000036b: EQ
0000036c: PUSH2 0x03bc
0000036f: JUMPI
00000370: PUSH1 0x40
00000372: DUP1
00000373: MLOAD
00000374: PUSH3 0x461bcd
00000378: PUSH1 0xe5
0000037a: SHL
0000037b: DUP2
0000037c: MSTORE
0000037d: PUSH1 0x20
0000037f: PUSH1 0x04
00000381: DUP3
00000382: ADD
00000383: DUP2
00000384: SWAP1
00000385: MSTORE
00000386: PUSH1 0x24
00000388: DUP3
00000389: ADD
0000038a: MSTORE
0000038b: PUSH32 0x4f776e61626c653a2063616c6c6572206973206e6f7420746865206f776e6572
000003ac: PUSH1 0x44
000003ae: DUP3
000003af: ADD
000003b0: MSTORE
000003b1: SWAP1
000003b2: MLOAD
000003b3: SWAP1
000003b4: DUP2
000003b5: SWAP1
000003b6: SUB
000003b7: PUSH1 0x64
000003b9: ADD
000003ba: SWAP1
000003bb: REVERT
000003bc: JUMPDEST
000003bd: PUSH1 0x00
000003bf: DUP1
000003c0: SLOAD
000003c1: PUSH1 0x40
000003c3: MLOAD
000003c4: PUSH1 0x01
000003c6: PUSH1 0x01
000003c8: PUSH1 0xa0
000003ca: SHL
000003cb: SUB
000003cc: SWAP1
000003cd: SWAP2
000003ce: AND
000003cf: SWAP1
000003d0: PUSH32 0x8be0079c531659141344cd1fd0a4f28419497f9722a3daafe3b4186f6b6457e0
000003f1: SWAP1
000003f2: DUP4
000003f3: SWAP1
000003f4: LOG3
000003f5: PUSH1 0x00
000003f7: DUP1
000003f8: SLOAD
000003f9: PUSH1 0x01
000003fb: PUSH1 0x01
000003fd: PUSH1 0xa0
000003ff: SHL
00000400: SUB
00000401: NOT
00000402: AND
00000403: SWAP1
00000404: SSTORE
00000405: JUMP
00000406: JUMPDEST
00000407: PUSH1 0x00
00000409: SLOAD
0000040a: PUSH1 0x01
0000040c: PUSH1 0x01
0000040e: PUSH1 0xa0
00000410: SHL
00000411: SUB
00000412: AND
00000413: CALLER
00000414: EQ
00000415: PUSH2 0x0465
00000418: JUMPI
00000419: PUSH1 0x40
0000041b: DUP1
0000041c: MLOAD
0000041d: PUSH3 0x461bcd
00000421: PUSH1 0xe5
00000423: SHL
00000424: DUP2
00000425: MSTORE
00000426: PUSH1 0x20
00000428: PUSH1 0x04
0000042a: DUP3
0000042b: ADD
0000042c: DUP2
0000042d: SWAP1
0000042e: MSTORE
0000042f: PUSH1 0x24
00000431: DUP3
00000432: ADD
00000433: MSTORE
00000434: PUSH32 0x4f776e61626c653a2063616c6c6572206973206e6f7420746865206f776e6572
00000455: PUSH1 0x44
00000457: DUP3
00000458: ADD
00000459: MSTORE
0000045a: SWAP1
0000045b: MLOAD
0000045c: SWAP1
0000045d: DUP2
0000045e: SWAP1
0000045f: SUB
00000460: PUSH1 0x64
00000462: ADD
00000463: SWAP1
00000464: REVERT
00000465: JUMPDEST
00000466: PUSH1 0x01
00000468: PUSH1 0x01
0000046a: PUSH1 0xa0
0000046c: SHL
0000046d: SUB
0000046e: DUP2
0000046f: AND
00000470: PUSH2 0x04aa
00000473: JUMPI
00000474: PUSH1 0x40
00000476: MLOAD
00000477: PUSH3 0x461bcd
0000047b: PUSH1 0xe5
0000047d: SHL
0000047e: DUP2
0000047f: MSTORE
00000480: PUSH1 0x04
00000482: ADD
00000483: DUP1
00000484: DUP1
00000485: PUSH1 0x20
00000487: ADD
00000488: DUP3
00000489: DUP2
0000048a: SUB
0000048b: DUP3
0000048c: MSTORE
0000048d: PUSH1 0x26
0000048f: DUP2
00000490: MSTORE
00000491: PUSH1 0x20
00000493: ADD
00000494: DUP1
00000495: PUSH2 0x052e
00000498: PUSH1 0x26
0000049a: SWAP2
0000049b: CODECOPY
0000049c: PUSH1 0x40
0000049e: ADD
0000049f: SWAP2
000004a0: POP
000004a1: POP
000004a2: PUSH1 0x40
000004a4: MLOAD
000004a5: DUP1
000004a6: SWAP2
000004a7: SUB
000004a8: SWAP1
000004a9: REVERT
000004aa: JUMPDEST
000004ab: PUSH1 0x00
000004ad: DUP1
000004ae: SLOAD
000004af: PUSH1 0x40
000004b1: MLOAD
000004b2: PUSH1 0x01
000004b4: PUSH1 0x01
000004b6: PUSH1 0xa0
000004b8: SHL
000004b9: SUB
000004ba: DUP1
000004bb: DUP6
000004bc: AND
000004bd: SWAP4
000004be: SWAP3
000004bf: AND
000004c0: SWAP2
000004c1: PUSH32 0x8be0079c531659141344cd1fd0a4f28419497f9722a3daafe3b4186f6b6457e0
000004e2: SWAP2
000004e3: LOG3
000004e4: PUSH1 0x00
000004e6: DUP1
000004e7: SLOAD
000004e8: PUSH1 0x01
000004ea: PUSH1 0x01
000004ec: PUSH1 0xa0
000004ee: SHL
000004ef: SUB
000004f0: NOT
000004f1: AND
000004f2: PUSH1 0x01
000004f4: PUSH1 0x01
000004f6: PUSH1 0xa0
000004f8: SHL
000004f9: SUB
000004fa: SWAP3
000004fb: SWAP1
000004fc: SWAP3
000004fd: AND
000004fe: SWAP2
000004ff: SWAP1
00000500: SWAP2
00000501: OR
00000502: SWAP1
00000503: SSTORE
00000504: JUMP
00000505: JUMPDEST
00000506: PUSH1 0x00
00000508: DUP1
00000509: DUP6
0000050a: DUP6
0000050b: GT
0000050c: ISZERO
0000050d: PUSH2 0x0514
00000510: JUMPI
00000511: DUP2
00000512: DUP3
00000513: REVERT
00000514: JUMPDEST
00000515: DUP4
00000516: DUP7
00000517: GT
00000518: ISZERO
00000519: PUSH2 0x0520
0000051c: JUMPI
0000051d: DUP2
0000051e: DUP3
0000051f: REVERT
00000520: JUMPDEST
00000521: POP
00000522: POP
00000523: DUP3
00000524: ADD
00000525: SWAP4
00000526: SWAP2
00000527: SWAP1
00000528: SWAP3
00000529: SUB
0000052a: SWAP2
0000052b: POP
0000052c: JUMP
0000052d: INVALID
0000052e: UNKNOWN(0x4F)
0000052f: PUSH24 0x6e61626c653a206e6577206f776e65722069732074686520
00000548: PUSH27 0x65726f2061646472657373a2646970667358221220fad1e906c989
00000564: DUP3
00000565: UNKNOWN(0xCB)
00000566: UNKNOWN(0xC9)
00000567: DUP12
00000568: UNKNOWN(0x1F)
00000569: UNKNOWN(0xD6)
0000056a: LT
0000056b: DUP7
0000056c: UNKNOWN(0x4E)
0000056d: UNKNOWN(0xEA)
0000056e: UNKNOWN(0xBE)
0000056f: RETURNDATACOPY
00000570: DUP7
00000571: EXP
00000572: SELFDESTRUCT
00000573: DIV
00000574: BLOBBASEFEE
00000575: JUMPDEST
00000576: GASPRICE
00000577: SLOAD
00000578: UNKNOWN(0xD5)
00000579: UNKNOWN(0xDD)
0000057a: PUSH3 0x4923dc
0000057e: PUSH5 0x736f6c6343
00000584: STOP
00000585: MOD
00000586: UNKNOWN(0x0C)
00000587: STOP
00000588: CALLER

Findings

validated = confirmed for call sinks; sink observed for others
Severity Category Tool Title Confidence Validated Confirmed Details
critical upgradeability detector Untrusted DELEGATECALL target reachable 70 no no
view
trace_id: 0x4ea84ed6b137711c4eee75b16889ec42d2a6a35de992bbe64f23260b2869d92e
validation_json 
{
    "sink": "DELEGATECALL",
    "errors": 0,
    "status": "unknown",
    "attempts": 60,
    "trace_id": "0x4ea84ed6b137711c4eee75b16889ec42d2a6a35de992bbe64f23260b2869d92e",
    "confirmed": false,
    "trace_mode": "callTracer",
    "call_targets": null,
    "matched_probe": null,
    "target_varies": null,
    "classification": "no_sink"
}
witness_json 
{
    "notes": "heuristic witness; entrypoints are best-effort selectors with zeroed calldata",
    "constraints": [],
    "entrypoints": [
        {
            "calldata": "0x0a0a05e6",
            "selector": "0x0a0a05e6",
            "calldata_variants": [
                "0x0a0a05e6",
                "0x0a0a05e60000000000000000000000000000000000000000000000000000000000000000"
            ]
        },
        {
            "calldata": "0x6b9f96ea",
            "selector": "0x6b9f96ea",
            "calldata_variants": [
                "0x6b9f96ea",
                "0x6b9f96ea0000000000000000000000000000000000000000000000000000000000000000"
            ]
        },
        {
            "calldata": "0x715018a6",
            "selector": "0x715018a6",
            "calldata_variants": [
                "0x715018a6",
                "0x715018a60000000000000000000000000000000000000000000000000000000000000000"
            ]
        },
        {
            "calldata": "0x8da5cb5b",
            "selector": "0x8da5cb5b",
            "calldata_variants": [
                "0x8da5cb5b",
                "0x8da5cb5b0000000000000000000000000000000000000000000000000000000000000000"
            ]
        },
        {
            "calldata": "0xf2fde38b",
            "selector": "0xf2fde38b",
            "calldata_variants": [
                "0xf2fde38b",
                "0xf2fde38b0000000000000000000000000000000000000000000000000000000000000000"
            ]
        }
    ]
}
evidence_json 
{
    "examples": [
        {
            "pc": 390,
            "opcode": "DELEGATECALL",
            "returndata_checked": null,
            "value_expression_category": "n/a",
            "target_expression_category": "computed"
        }
    ],
    "guards_detected": [],
    "delegatecall_count": 1,
    "untrusted_delegatecall_count": 1
}
high other cast SELFDESTRUCT present 85 no
view
evidence_json 
{
    "notes": "selfdestruct can remove contract code and send funds; review reachability",
    "selfdestruct_count": 1
}
high other detector Untrusted CALL target/value reachable 60 no no
view
trace_id: 0x4c83fd1e3597fba3946cc9a29534f2dac303de1954ce69fd60700dd7e948f79d
call_targets: 0xbb44e3349c23cc430cae6ebbaf0256c9f2a1872f
target_varies: no
classification: constant_target
validation_json 
{
    "sink": "CALL",
    "errors": 0,
    "status": "sink_reached",
    "attempts": 1,
    "trace_id": "0x4c83fd1e3597fba3946cc9a29534f2dac303de1954ce69fd60700dd7e948f79d",
    "confirmed": false,
    "trace_mode": "callTracer",
    "call_targets": [
        "0xbb44e3349c23cc430cae6ebbaf0256c9f2a1872f"
    ],
    "matched_probe": null,
    "target_varies": false,
    "classification": "constant_target"
}
witness_json 
{
    "notes": "heuristic witness; entrypoints are best-effort selectors with zeroed calldata",
    "constraints": [],
    "entrypoints": [
        {
            "calldata": "0x0a0a05e6",
            "selector": "0x0a0a05e6",
            "calldata_variants": [
                "0x0a0a05e6",
                "0x0a0a05e60000000000000000000000000000000000000000000000000000000000000000"
            ]
        },
        {
            "calldata": "0x6b9f96ea",
            "selector": "0x6b9f96ea",
            "calldata_variants": [
                "0x6b9f96ea",
                "0x6b9f96ea0000000000000000000000000000000000000000000000000000000000000000"
            ]
        },
        {
            "calldata": "0x715018a6",
            "selector": "0x715018a6",
            "calldata_variants": [
                "0x715018a6",
                "0x715018a60000000000000000000000000000000000000000000000000000000000000000"
            ]
        },
        {
            "calldata": "0x8da5cb5b",
            "selector": "0x8da5cb5b",
            "calldata_variants": [
                "0x8da5cb5b",
                "0x8da5cb5b0000000000000000000000000000000000000000000000000000000000000000"
            ]
        },
        {
            "calldata": "0xf2fde38b",
            "selector": "0xf2fde38b",
            "calldata_variants": [
                "0xf2fde38b",
                "0xf2fde38b0000000000000000000000000000000000000000000000000000000000000000"
            ]
        }
    ]
}
evidence_json 
{
    "examples": [
        {
            "pc": 836,
            "opcode": "CALL",
            "returndata_checked": null,
            "value_expression_category": "computed",
            "target_expression_category": "computed"
        }
    ],
    "call_count": 1,
    "guards_detected": [],
    "untrusted_call_count": 1
}
high other detector ETH value transfer possible 55 no no
view
trace_id: 0x4c83fd1e3597fba3946cc9a29534f2dac303de1954ce69fd60700dd7e948f79d
call_targets: 0xbb44e3349c23cc430cae6ebbaf0256c9f2a1872f
target_varies: no
classification: constant_target
validation_json 
{
    "sink": "CALL",
    "errors": 0,
    "status": "sink_reached",
    "attempts": 1,
    "trace_id": "0x4c83fd1e3597fba3946cc9a29534f2dac303de1954ce69fd60700dd7e948f79d",
    "confirmed": false,
    "trace_mode": "callTracer",
    "call_targets": [
        "0xbb44e3349c23cc430cae6ebbaf0256c9f2a1872f"
    ],
    "matched_probe": null,
    "target_varies": false,
    "classification": "constant_target"
}
witness_json 
{
    "notes": "heuristic witness; entrypoints are best-effort selectors with zeroed calldata",
    "constraints": [],
    "entrypoints": [
        {
            "calldata": "0x0a0a05e6",
            "selector": "0x0a0a05e6",
            "calldata_variants": [
                "0x0a0a05e6",
                "0x0a0a05e60000000000000000000000000000000000000000000000000000000000000000"
            ]
        },
        {
            "calldata": "0x6b9f96ea",
            "selector": "0x6b9f96ea",
            "calldata_variants": [
                "0x6b9f96ea",
                "0x6b9f96ea0000000000000000000000000000000000000000000000000000000000000000"
            ]
        },
        {
            "calldata": "0x715018a6",
            "selector": "0x715018a6",
            "calldata_variants": [
                "0x715018a6",
                "0x715018a60000000000000000000000000000000000000000000000000000000000000000"
            ]
        },
        {
            "calldata": "0x8da5cb5b",
            "selector": "0x8da5cb5b",
            "calldata_variants": [
                "0x8da5cb5b",
                "0x8da5cb5b0000000000000000000000000000000000000000000000000000000000000000"
            ]
        },
        {
            "calldata": "0xf2fde38b",
            "selector": "0xf2fde38b",
            "calldata_variants": [
                "0xf2fde38b",
                "0xf2fde38b0000000000000000000000000000000000000000000000000000000000000000"
            ]
        }
    ]
}
evidence_json 
{
    "examples": [
        {
            "pc": 836,
            "opcode": "CALL",
            "returndata_checked": null,
            "value_expression_category": "computed",
            "target_expression_category": "computed"
        }
    ],
    "eth_value_calls": 1,
    "guards_detected": []
}
high other detector SELFDESTRUCT reachable 65 no no
view
trace_id: 0x8b581e361b4ff80150c48c27a6b74bb9966b1571cd2b76ef7d651eae72ab4c62
validation_json 
{
    "sink": "SELFDESTRUCT",
    "errors": 0,
    "status": "unknown",
    "attempts": 10,
    "trace_id": "0x8b581e361b4ff80150c48c27a6b74bb9966b1571cd2b76ef7d651eae72ab4c62",
    "confirmed": false,
    "trace_mode": "structLogs",
    "call_targets": null,
    "matched_probe": null,
    "target_varies": null,
    "classification": "no_sink"
}
witness_json 
{
    "notes": "heuristic witness; entrypoints are best-effort selectors with zeroed calldata",
    "constraints": [],
    "entrypoints": [
        {
            "calldata": "0x0a0a05e6",
            "selector": "0x0a0a05e6",
            "calldata_variants": [
                "0x0a0a05e6",
                "0x0a0a05e60000000000000000000000000000000000000000000000000000000000000000"
            ]
        },
        {
            "calldata": "0x6b9f96ea",
            "selector": "0x6b9f96ea",
            "calldata_variants": [
                "0x6b9f96ea",
                "0x6b9f96ea0000000000000000000000000000000000000000000000000000000000000000"
            ]
        },
        {
            "calldata": "0x715018a6",
            "selector": "0x715018a6",
            "calldata_variants": [
                "0x715018a6",
                "0x715018a60000000000000000000000000000000000000000000000000000000000000000"
            ]
        },
        {
            "calldata": "0x8da5cb5b",
            "selector": "0x8da5cb5b",
            "calldata_variants": [
                "0x8da5cb5b",
                "0x8da5cb5b0000000000000000000000000000000000000000000000000000000000000000"
            ]
        },
        {
            "calldata": "0xf2fde38b",
            "selector": "0xf2fde38b",
            "calldata_variants": [
                "0xf2fde38b",
                "0xf2fde38b0000000000000000000000000000000000000000000000000000000000000000"
            ]
        }
    ]
}
evidence_json 
{
    "guards_detected": [],
    "selfdestruct_count": 1
}
medium upgradeability cast DELEGATECALL present 80 no
view
evidence_json 
{
    "notes": "delegatecall enables execution in caller context; common in proxies/upgradeable patterns",
    "delegatecall_count": 1
}