Functions

DISCLAIMER // NFA // DYOR

This analysis is based on observations of the contract bytecode. We are not smart contract security experts. This document aims to explain what the contract appears to do based on the code. It should not be considered a comprehensive security audit or financial advice. Always verify critical information independently and consult with blockchain security professionals for important decisions.

This analysis is based on decompiled bytecode, which may not perfectly represent the original source code. Function names are reconstructed from known selectors.

⊙ generated by robots | curated by humans

METADATA
Contract Address	`0x1f2f10d1c40777ae1da742455c65828ff36df387` (etherscan)
Network	Ethereum Mainnet
Analysis Date	2026-01-05

Function Dispatch Overview

The contract does not use standard Solidity function selectors. Instead, it employs a jump table mechanism where the first bytes of calldata determine which code path executes. This analysis identifies the external protocol calls the contract can make.

External Protocol Integrations

SELECTOR	FUNCTION SIGNATURE	TARGET PROTOCOL
`0x022c0d9f`	`swap(uint256,uint256,address,bytes)`	Uniswap V2 Pairs
`0x128acb08`	`swap(address,bool,int256,uint160,bytes)`	Uniswap V3 Pools
`0x3c8a7d8d`	`mint(address,int24,int24,uint128,bytes)`	Uniswap V3 Pools
`0xa34123a7`	`burn(int24,int24,uint128)`	Uniswap V3 Pools
`0x4f1eb3d8`	`collect(address,int24,int24,uint128,uint128)`	Uniswap V3 Pools
`0xc31b8d7a`	`swap(address,bool,int256,uint160)`	Uniswap V3 (variant)
`0x52bbbe29`	`swap(SingleSwap,FundManagement,uint256,uint256)`	Balancer V2 Vault
`0x3df02124`	`exchange(int128,int128,uint256,uint256)`	Curve Pools
`0xbd6015b4`	`sellBase(address)`	DODO Pools
`0xdd93f59a`	`sellQuote(address)`	DODO Pools
`0xe67ce706`	`buyBaseToken(uint256,uint256,bytes)`	DODO Pools
`0xd0e30db0`	`deposit()`	WETH
`0x2e1a7d4d`	`withdraw(uint256)`	WETH
`0x23b872dd`	`transferFrom(address,address,uint256)`	ERC20
`0xa9059cbb`	`transfer(address,uint256)`	ERC20
`0x095ea7b3`	`approve(address,uint256)`	ERC20
`0x70a08231`	`balanceOf(address)`	ERC20

Summary

CATEGORY	COUNT
Total External Calls	17+
DEX Integrations	5 (Uniswap V2, V3, Balancer, Curve, DODO)
Token Operations	5 (transfer, transferFrom, approve, balanceOf, WETH wrap/unwrap)
Uniswap V3 Liquidity	3 (mint, burn, collect)

Core Mechanisms

Access Control Entry Point

OverviewKey ObservationsPseudocode

The contract begins with an access control check that validates tx.origin matches the operator address.

ATTRIBUTE	VALUE
Location	Bytecode offset 0x00
Check	`tx.origin == 0xae2Fc483527b8ef99eb5d9b44875f005ba1FaE13`
Access	Operator only

FLAG	OBSERVATION
☑	Uses `tx.origin` not `msg.sender` - prevents flash loan exploits
☑	Hardcoded address cannot be changed
△	No events emitted on failure - silent revert

function _checkAccess() internal view {
    require(tx.origin == 0xae2Fc483527b8ef99eb5d9b44875f005ba1FaE13, "unauthorized");
}

Uniswap V2 Operations

swap (Uniswap V2)

OverviewKey ObservationsActionsPseudocode

Executes a swap on a Uniswap V2 pair contract. The contract computes pair addresses inline using CREATE2 rather than querying the factory.

ATTRIBUTE	VALUE
Selector	`0x022c0d9f`
Target	Uniswap V2 Pair contracts
Access	Internal call via jump table

FLAG	OBSERVATION
☑	Pair addresses computed inline (gas optimization)
☑	Uses Uniswap V2 init code hash: `0x96e8ac42...`
△	No slippage check in contract - managed by calldata

STEP	ACTION
1	Compute pair address from token addresses
2	Transfer tokens to pair
3	Call `swap()` on pair
4	Receive output tokens

function executeV2Swap(
    address tokenIn,
    address tokenOut,
    uint256 amountIn,
    uint256 amountOut0,
    uint256 amountOut1
) internal {
    address pair = computePairAddress(tokenIn, tokenOut);
    IERC20(tokenIn).transfer(pair, amountIn);
    IUniswapV2Pair(pair).swap(amountOut0, amountOut1, address(this), "");
}

Uniswap V3 Operations

swap (Uniswap V3)

OverviewKey ObservationsPseudocode

Executes a swap on a Uniswap V3 pool with concentrated liquidity.

ATTRIBUTE	VALUE
Selector	`0x128acb08`
Target	Uniswap V3 Pool contracts
Access	Internal call via jump table

FLAG	OBSERVATION
☑	Supports exact input and exact output swaps
☑	Uses sqrtPriceLimitX96 for price bounds
△	Callback must be handled (`uniswapV3SwapCallback`)

function executeV3Swap(
    address pool,
    bool zeroForOne,
    int256 amountSpecified,
    uint160 sqrtPriceLimitX96
) internal {
    IUniswapV3Pool(pool).swap(
        address(this),
        zeroForOne,
        amountSpecified,
        sqrtPriceLimitX96,
        abi.encode(/* callback data */)
    );
}

mint (Uniswap V3 Liquidity)

OverviewKey ObservationsActionsPseudocode

Adds concentrated liquidity to a Uniswap V3 pool within specified tick range. This is a key component of the "multi-layer" sandwich attacks.

ATTRIBUTE	VALUE
Selector	`0x3c8a7d8d`
Target	Uniswap V3 Pool contracts
Access	Internal call via jump table

FLAG	OBSERVATION
△	Used as front-piece in 5/7-layer sandwiches
△	Liquidity provision creates price impact
☑	Enables more sophisticated MEV extraction

STEP	ACTION
1	Specify tick range (tickLower, tickUpper)
2	Provide liquidity amount
3	Pool mints position to contract
4	Callback provides tokens

function addLiquidity(
    address pool,
    int24 tickLower,
    int24 tickUpper,
    uint128 amount
) internal {
    IUniswapV3Pool(pool).mint(
        address(this),
        tickLower,
        tickUpper,
        amount,
        abi.encode(/* callback data */)
    );
}

burn (Uniswap V3 Liquidity)

OverviewKey ObservationsPseudocode

Removes liquidity from a Uniswap V3 position. Used as the back-piece in multi-layer sandwiches.

ATTRIBUTE	VALUE
Selector	`0xa34123a7`
Target	Uniswap V3 Pool contracts
Access	Internal call via jump table

FLAG	OBSERVATION
△	Used as back-piece in sandwich attacks
☑	Must be followed by `collect` to retrieve tokens

function removeLiquidity(
    address pool,
    int24 tickLower,
    int24 tickUpper,
    uint128 amount
) internal {
    IUniswapV3Pool(pool).burn(tickLower, tickUpper, amount);
}

collect (Uniswap V3)

OverviewPseudocode

Collects tokens owed from a liquidity position after burning.

ATTRIBUTE	VALUE
Selector	`0x4f1eb3d8`
Target	Uniswap V3 Pool contracts
Access	Internal call via jump table

function collectTokens(
    address pool,
    int24 tickLower,
    int24 tickUpper,
    uint128 amount0Max,
    uint128 amount1Max
) internal {
    IUniswapV3Pool(pool).collect(
        address(this),
        tickLower,
        tickUpper,
        amount0Max,
        amount1Max
    );
}

Balancer V2 Operations

swap (Balancer)

OverviewKey ObservationsPseudocode

Executes a single swap through the Balancer V2 Vault.

ATTRIBUTE	VALUE
Selector	`0x52bbbe29`
Target	`0xBA12222222228d8Ba445958a75a0704d566BF2C8` (Vault)
Access	Internal call via jump table

FLAG	OBSERVATION
☑	All Balancer swaps route through single Vault
☑	Supports weighted, stable, and meta pools
△	Requires pool ID in calldata

function executeBalancerSwap(
    bytes32 poolId,
    address tokenIn,
    address tokenOut,
    uint256 amount
) internal {
    IVault(BALANCER_VAULT).swap(
        SingleSwap({
            poolId: poolId,
            kind: SwapKind.GIVEN_IN,
            assetIn: tokenIn,
            assetOut: tokenOut,
            amount: amount,
            userData: ""
        }),
        FundManagement({
            sender: address(this),
            fromInternalBalance: false,
            recipient: address(this),
            toInternalBalance: false
        }),
        0, // minAmountOut (managed externally)
        block.timestamp
    );
}

Curve Operations

exchange (Curve)

OverviewPseudocode

Executes a swap on a Curve pool using integer indices for token selection.

ATTRIBUTE	VALUE
Selector	`0x3df02124`
Target	Curve pool contracts
Access	Internal call via jump table

function executeCurveSwap(
    address pool,
    int128 i,      // input token index
    int128 j,      // output token index
    uint256 dx,    // input amount
    uint256 min_dy // minimum output
) internal {
    ICurvePool(pool).exchange(i, j, dx, min_dy);
}

DODO Operations

sellBase / sellQuote

OverviewKey ObservationsPseudocode

Executes swaps on DODO PMM (Proactive Market Maker) pools.

ATTRIBUTE	VALUE
Selectors	`0xbd6015b4` (sellBase), `0xdd93f59a` (sellQuote)
Target	DODO pool contracts
Access	Internal call via jump table

FLAG	OBSERVATION
☑	DODO uses PMM algorithm (different from CPMM)
△	Less common arbitrage target

function executeDODOSellBase(address pool, address to) internal {
    IDODO(pool).sellBase(to);
}

function executeDODOSellQuote(address pool, address to) internal {
    IDODO(pool).sellQuote(to);
}

WETH Operations

deposit / withdraw

OverviewPseudocode

Wraps ETH to WETH and unwraps WETH to ETH.

ATTRIBUTE	VALUE
Selectors	`0xd0e30db0` (deposit), `0x2e1a7d4d` (withdraw)
Target	`0xC02aaA39b223FE8D0A0e5C4F27eAD9083C756Cc2`
Access	Internal call via jump table

function wrapETH(uint256 amount) internal {
    IWETH(WETH).deposit{value: amount}();
}

function unwrapETH(uint256 amount) internal {
    IWETH(WETH).withdraw(amount);
}

Self-Destruct

selfdestruct

OverviewKey ObservationsPseudocode

The bytecode contains a selfdestruct opcode (0xff) which can destroy the contract and send remaining ETH to the operator.

ATTRIBUTE	VALUE
Opcode	`0x33ff` (CALLER + SELFDESTRUCT)
Access	Operator only

FLAG	OBSERVATION
△	Post-Dencun, selfdestruct only sends ETH (doesn't delete code)
☑	Emergency fund recovery mechanism

function emergencyExit() internal {
    selfdestruct(payable(msg.sender));
}