Methodology
DISCLAIMER // NFA // DYOR
This analysis is based on decompiled bytecode — the contract source code is not verified on
Etherscan. Function names, parameter types, and internal logic are inferred from selector
matching, transaction input decoding, and event log analysis. We are not smart contract
security experts. This document should not be considered a comprehensive security audit or
financial advice. Always verify critical information independently.
⊙ generated by robots | curated by humans
| METADATA | |
|---|---|
| Contract Address | 0xD8706D2D...dC2C2c (etherscan) |
| Network | Ethereum Mainnet |
| Analysis Date | 2026-03-29 |
Overview
This analysis was performed on an unverified contract using bytecode decompilation techniques. The contract's runtime bytecode (~5,833 bytes) was fetched via Ethereum JSON-RPC, then manually disassembled to extract function selectors, event topic hashes, error message strings, and control flow patterns.
Function selectors were resolved to human-readable signatures using the OpenChain Signature Database and 4byte.directory. Event topic hashes were resolved through the same databases. Error message strings embedded in the bytecode provided the contract's internal naming convention ("RewardPoolRegistry") and detailed revert reasons that clarified function preconditions.
Storage layout was mapped by reading slots 0-12 directly from the blockchain and correlating observed values with constructor arguments and known patterns (reentrancy guard at slot 0, Ownable owner at slot 1). Constructor arguments were decoded from the deployment transaction input data.
Transaction history (180 transactions, 174 successful registrations) and internal transactions (174 ETH transfers to the fee recipient) were analyzed via Etherscan API to understand real-world usage patterns and fund flows. Event logs were queried to confirm that no reward deposits or claims have occurred.
The deployer address was cross-referenced with existing Xcellar contract analyses to establish the ecosystem connection.
Thought Process
%%{init: {'theme': 'base'}}%%
mindmap
root((RewardPoolRegistry<br/>Analysis))
Phase 0: Obtain
Etherscan API — unverified
JSON-RPC eth_getCode
5833 bytes runtime bytecode
Constructor args from deploy TX
distributor EOA
feeRecipient EOA
0.001 ETH fee
Phase 1: Discovery
Function selectors — 23 found
OpenChain lookups
4byte.directory lookups
Event topics — 8 found
Error strings — RewardPoolRegistry prefix
Storage slots 0-12
Solidity 0.8.20 compiler tag
Not a proxy — standalone
Phase 2: Deep Dive
Registration flow
Paid 0.001 ETH
Fee forwarded to recipient
Permanent enrollment
Deposit flow
Owner or Distributor only
depositToUser — no registration check
batchDeposit — registration required
Claim flow
claim — full balance
claimAmount — partial, tracks cumulative
Reentrancy protected
Emergency withdraw
Owner only, no timelock
Drains entire balance
Ghost balance problem
Phase 3: Risk Assessment
Centralization — single EOA owner
Off-chain reward calculation
Registration check inconsistency
Incomplete claim tracking
No audit, not verified
Phase 4: Documentation
Cross-reference with XCL ecosystem
Same deployer as XCL Rewards proxyVerification Guide
All findings in this analysis can be independently verified using the tools and commands documented below.
External Resources
| RESOURCE | USAGE |
|---|---|
| Etherscan Contract Page | Contract metadata, transaction history, internal transactions, event logs |
| Etherscan Creation TX | Constructor arguments, deployment block, deployer address |
| OpenChain Signature Database | Function selector and event topic hash resolution |
| 4byte.directory | Additional signature lookups for selectors and events |
| Etherscan API v2 | Transaction lists, internal transactions, event log queries, contract creation info |
Commandline Tools
Tip
Commands below use cast from the Foundry Toolkit. To run the commands below, you must set the RPC URL environment variable:
Fetch Runtime Bytecode
Retrieves the deployed contract bytecode for manual disassembly and analysis.
Read Storage Slots
Reads key storage slots to identify owner, distributor, fee recipient, registration fee, and user count.
# READ REENTRANCY GUARD (SLOT 0)
cast storage 0xD8706D2D39AaE656bB5Eb2383a541B6a1ddC2C2c 0
# READ OWNER (SLOT 1)
cast storage 0xD8706D2D39AaE656bB5Eb2383a541B6a1ddC2C2c 1
# READ DISTRIBUTOR (SLOT 2)
cast storage 0xD8706D2D39AaE656bB5Eb2383a541B6a1ddC2C2c 2
# READ TOTAL PENDING (SLOT 6)
cast storage 0xD8706D2D39AaE656bB5Eb2383a541B6a1ddC2C2c 6
# READ FEE RECIPIENT (SLOT 7)
cast storage 0xD8706D2D39AaE656bB5Eb2383a541B6a1ddC2C2c 7
# READ REGISTRATION FEE (SLOT 8)
cast storage 0xD8706D2D39AaE656bB5Eb2383a541B6a1ddC2C2c 8
# READ REGISTERED USER COUNT (SLOT 10)
cast storage 0xD8706D2D39AaE656bB5Eb2383a541B6a1ddC2C2c 10
Verify Contract Balance
Confirms the contract's current ETH balance.
Decode Constructor Arguments
Extracts and decodes the three constructor parameters from the deployment transaction.
# FETCH DEPLOYMENT TRANSACTION INPUT DATA
cast tx 0xc7eb1823b8d4175ca3abac5609a57a1ad59ababd8a17b7899a192dd7a011731b input
# CONSTRUCTOR ARGS ARE THE LAST 192 HEX CHARACTERS (3 X 32 BYTES):
# ARG 1 (ADDRESS DISTRIBUTOR): 0x867a2c98d5833b554080bd7761a58ec8ffdb3157
# ARG 2 (ADDRESS FEE RECIPIENT): 0xe1f3fbb11cf1e3af339f1a41eb77faf737264a84
# ARG 3 (UINT256 REGISTRATION FEE): 1000000000000000 (0.001 ETH)
Verify Deployer Connection
Confirms that this contract and the XCL Rewards proxy share the same deployer.
# CHECK XCL REWARDS PROXY DEPLOYER (SHOULD MATCH 0x9fbcc72a...)
cast tx $(cast etherscan-source --creation 0x2a9848c39fff51eb184326d65f1238cc36764069) from
Token Cost Breakdown
| PHASE | DESCRIPTION | TOKENS |
|---|---|---|
| Phase 0 | Obtain the Contract | 15 tok |
| Phase 1 | Discovery & Understanding | 15 tok |
| Phase 2 | Deep Dive Analysis | 10 tok |
| Phase 3 | Risk & Trust Analysis | 5 tok |
| Phase 4 | Documentation Generation | 20 tok |
| TOTAL | Complete Contract Analysis | 65 tok |
Note: Token costs are estimates based on typical conversation lengths and complexity. Actual consumption may vary by ±10-15% depending on API responses, iterative refinement, and verification steps.