Methodology
DISCLAIMER // NFA // DYOR
This analysis is based on decompiled bytecode and observations of the contract behavior. We are not smart contract security experts. This document aims to explain what the contract appears to do based on the code. It should not be considered a comprehensive security audit or financial advice. Always verify critical information independently and consult with blockchain security professionals for important decisions.
⊙ generated by robots | curated by humans
| METADATA | |
|---|---|
| Proxy Address | 0x2a9848c39fff51eb184326d65f1238cc36764069 (etherscan) |
| Implementation Address | 0xe528d428c188a80c4824aad89211d292f9a62d77 (etherscan) |
| Network | Ethereum Mainnet |
| Analysis Date | 2025-12-14 |
Overview
This analysis was conducted through bytecode decompilation, storage slot analysis, and on-chain verification. Source code is not verified on Etherscan.
Thought Process
%%{init: {'theme': 'base'}}%%
mindmap
root((XCL Rewards))
Discovery
Proxy pattern
Bytecode decompilation
Storage layout
Analysis
Functions
Access control
Economic model
Assessment
Centralization
Reentrancy risks
Trust assumptionsWhat This Analysis Includes
- ☑ Function-by-function decompiled code breakdown
- ☑ Storage layout and state variable analysis
- ☑ Access control and permission mapping
- ☑ Economic model and reward distribution mechanics
- ☑ Trust assumptions and risk categorization
What This Analysis Does NOT Include
- ☒ Original source code review (not verified)
- ☒ Formal verification or mathematical proofs
- ☒ Professional security audit
- ☒ Economic modeling or market analysis
- ☒ Team background checks
- ☒ Legal or regulatory compliance review
Limitations
Decompiled Code Limitations
This analysis is based on decompiled bytecode, which may not perfectly represent the original source code.
When working with decompiled code:
| LIMITATION | DESCRIPTION |
|---|---|
| Variable Names | Often "unknown" or generic |
| Function Names | May be hashed (e.g., "unknown8d12918d") |
| Logic Flow | May be restructured |
| Comments | Lost completely |
| Original Intent | May be unclear |
Verification Guide
External Resources
| RESOURCE | NOTES |
|---|---|
| Etherscan: Proxy | Transaction history and proxy storage |
| Etherscan: Implementation | Implementation bytecode |
| EIP-1967 Standard | Standard Proxy Storage Slots |
| Foundry Documentation | Cast commands for on-chain verification |
Commandline Tools
Tip
Commands below use cast from the Foundry Toolkit. To run the commands, you must set the RPC URL environment variable:
Verify Contracts Exist
# GET PROXY CONTRACT BYTECODE SIZE
cast codesize 0x2a9848c39fff51eb184326d65f1238cc36764069
# GET IMPLEMENTATION CONTRACT BYTECODE SIZE
cast codesize 0xe528d428c188a80c4824aad89211d292f9a62d77
# VERIFY IMPLEMENTATION ADDRESS FROM PROXY
cast storage 0x2a9848c39fff51eb184326d65f1238cc36764069 \
0x360894a13ba1a3210667c828492db98dca3e2076cc3735a920a3ca505d382bbc
# Should return: 0x000000000000000000000000e528d428c188a80c4824aad89211d292f9a62d77
Verify Contract State
# CHECK IF INITIALIZED
cast call 0x2a9848c39fff51eb184326d65f1238cc36764069 "initialized()(bool)"
# GET ADMIN ADDRESS
cast call 0x2a9848c39fff51eb184326d65f1238cc36764069 "admin()(address)"
# CHECK IF PAUSED
cast call 0x2a9848c39fff51eb184326d65f1238cc36764069 "paused()(bool)"
# GET PARTICIPANT COUNT
cast call 0x2a9848c39fff51eb184326d65f1238cc36764069 "participantCount()(uint256)"
# GET REWARD POOL
cast call 0x2a9848c39fff51eb184326d65f1238cc36764069 "rewardPool()(uint256)"
# GET ACTUAL ETH BALANCE
cast balance 0x2a9848c39fff51eb184326d65f1238cc36764069
Check User Status
# Replace YOUR_ADDRESS with actual address
# CHECK IF REGISTERED
cast call 0x2a9848c39fff51eb184326d65f1238cc36764069 \
"isRegistered(address)(bool)" \
YOUR_ADDRESS
# CHECK IF BLACKLISTED
cast call 0x2a9848c39fff51eb184326d65f1238cc36764069 \
"blacklisted(address)(bool)" \
YOUR_ADDRESS
# GET TOTAL CLAIMED
cast call 0x2a9848c39fff51eb184326d65f1238cc36764069 \
"totalClaimed(address)(uint256)" \
YOUR_ADDRESS
Red Flags to Look For
When verifying, watch for these warning signs:
| FLAG | WHAT TO CHECK |
|---|---|
| ☒ | Source code not verified - cannot compare decompiled analysis |
| ☒ | Admin is EOA (not multisig) - single point of failure |
| ☒ | No timelock on proxy upgrades - instant malicious upgrade possible |
| ☒ | Reward pool much less than pending claims - insolvency |
| ☒ | Recent emergency withdrawal events - funds removed |
| ☒ | No recent reward deposits - system not being funded |
| ☒ | Recent deployment with large amounts deposited - untested |
| ☒ | Many blacklisted or paused users - excessive intervention |
Green Flags to Look For
| FLAG | WHAT TO CHECK |
|---|---|
| ☑ | Admin is multisig with multiple signers |
| ☑ | Timelock protection on proxy upgrades |
| ☑ | Reward pool solvent (balance >= sum of pending claims) |
| ☑ | Regular reward deposits (funded system) |
| ☑ | Professional audit report available |
| ☑ | Active community and transparent operations |
| ☑ | Long operational history without incidents |
| ☑ | Reasonable participant count |