Methodology
DISCLAIMER // NFA // DYOR
This analysis is based on decompiled bytecode and observations of the contract behavior. We are not smart contract security experts. This document aims to explain what the contract appears to do based on the code. It should not be considered a comprehensive security audit or financial advice. Always verify critical information independently and consult with blockchain security professionals for important decisions.
⊙ generated by robots | curated by humans
| METADATA | |
|---|---|
| Proxy Address | 0x2a9848c39fff51eb184326d65f1238cc36764069 (etherscan) |
| Implementation Address | 0x435dc93869553123513148e5df4231c21dfca965 (etherscan) |
| Network | Ethereum Mainnet |
| Analysis Date | 2026-03-29 (Updated) |
Overview
This analysis was originally conducted on 2025-12-14 through bytecode decompilation, storage slot analysis, and on-chain verification. Source code is not verified on Etherscan. On 2026-03-29, the analysis was updated to reflect the implementation upgrade from 0xe528d4... to 0x435dc9... (via intermediate 0xc09d9b...), which occurred on March 27, 2026.
The update involved: comparing old and new function selector sets (60 vs 67 — 7 added, 0 removed), probing new functions via RPC calls, reading new storage slots (24-26), analyzing Upgraded events, and reviewing recent transaction patterns.
Thought Process
%%{init: {'theme': 'base'}}%%
mindmap
root((XCL Rewards v1.0.0))
Original Analysis
Proxy pattern
Bytecode decompilation
Storage layout slots 0-23
Upgrade Discovery
Upgraded events on-chain
Selector diff old vs new
7 new functions identified
New storage slots 24-26
Updated Analysis
Priority snapshot fees
Fee recipient EOA
VERSION tracking
Zero distribution observed
Risk Assessment
Rapid double-upgrade pattern
Fee extraction to EOA
Centralization unchanged
Reentrancy still presentWhat This Analysis Includes
- ☑ Function-by-function decompiled code breakdown
- ☑ Storage layout and state variable analysis
- ☑ Access control and permission mapping
- ☑ Economic model and reward distribution mechanics
- ☑ Trust assumptions and risk categorization
What This Analysis Does NOT Include
- ☒ Original source code review (not verified)
- ☒ Formal verification or mathematical proofs
- ☒ Professional security audit
- ☒ Economic modeling or market analysis
- ☒ Team background checks
- ☒ Legal or regulatory compliance review
Limitations
Decompiled Code Limitations
This analysis is based on decompiled bytecode, which may not perfectly represent the original source code.
When working with decompiled code:
| LIMITATION | DESCRIPTION |
|---|---|
| Variable Names | Often "unknown" or generic |
| Function Names | May be hashed (e.g., "unknown8d12918d") |
| Logic Flow | May be restructured |
| Comments | Lost completely |
| Original Intent | May be unclear |
Verification Guide
External Resources
| RESOURCE | NOTES |
|---|---|
| Etherscan: Proxy | Transaction history and proxy storage |
| Etherscan: Current Implementation | Current implementation bytecode (v1.0.0) |
| Etherscan: Original Implementation | Original implementation bytecode |
| Etherscan: XcellarToken | Verified XCL token source code |
| EIP-1967 Standard | Standard Proxy Storage Slots |
| Foundry Documentation | Cast commands for on-chain verification |
Commandline Tools
Tip
Commands below use cast from the Foundry Toolkit. To run the commands, you must set the RPC URL environment variable:
Verify Contracts Exist
# GET PROXY CONTRACT BYTECODE SIZE
cast codesize 0x2a9848c39fff51eb184326d65f1238cc36764069
# GET CURRENT IMPLEMENTATION CONTRACT BYTECODE SIZE
cast codesize 0x435dc93869553123513148e5df4231c21dfca965
# VERIFY IMPLEMENTATION ADDRESS FROM PROXY
cast storage 0x2a9848c39fff51eb184326d65f1238cc36764069 \
0x360894a13ba1a3210667c828492db98dca3e2076cc3735a920a3ca505d382bbc
# Should return: 0x000000000000000000000000435dc93869553123513148e5df4231c21dfca965
# GET VERSION
cast call 0x2a9848c39fff51eb184326d65f1238cc36764069 "VERSION()(string)"
# Should return: "1.0.0"
Verify Contract State
# CHECK IF INITIALIZED
cast call 0x2a9848c39fff51eb184326d65f1238cc36764069 "initialized()(bool)"
# GET ADMIN ADDRESS
cast call 0x2a9848c39fff51eb184326d65f1238cc36764069 "admin()(address)"
# CHECK IF PAUSED
cast call 0x2a9848c39fff51eb184326d65f1238cc36764069 "paused()(bool)"
# GET PARTICIPANT COUNT
cast call 0x2a9848c39fff51eb184326d65f1238cc36764069 "participantCount()(uint256)"
# GET REWARD POOL
cast call 0x2a9848c39fff51eb184326d65f1238cc36764069 "rewardPool()(uint256)"
# GET ACTUAL ETH BALANCE
cast balance 0x2a9848c39fff51eb184326d65f1238cc36764069
Check User Status
# Replace YOUR_ADDRESS with actual address
# CHECK IF REGISTERED
cast call 0x2a9848c39fff51eb184326d65f1238cc36764069 \
"isRegistered(address)(bool)" \
YOUR_ADDRESS
# CHECK IF BLACKLISTED
cast call 0x2a9848c39fff51eb184326d65f1238cc36764069 \
"blacklisted(address)(bool)" \
YOUR_ADDRESS
# GET TOTAL CLAIMED
cast call 0x2a9848c39fff51eb184326d65f1238cc36764069 \
"totalClaimed(address)(uint256)" \
YOUR_ADDRESS
Red Flags to Look For
When verifying, watch for these warning signs:
| FLAG | WHAT TO CHECK |
|---|---|
| ☒ | Source code not verified - cannot compare decompiled analysis |
| ☒ | Admin is EOA (not multisig) - single point of failure |
| ☒ | No timelock on proxy upgrades - instant malicious upgrade possible |
| ☒ | Reward pool much less than pending claims - insolvency |
| ☒ | Recent emergency withdrawal events - funds removed |
| ☒ | No recent reward deposits - system not being funded |
| ☒ | Recent deployment with large amounts deposited - untested |
| ☒ | Many blacklisted or paused users - excessive intervention |
Green Flags to Look For
| FLAG | WHAT TO CHECK |
|---|---|
| ☑ | Admin is multisig with multiple signers |
| ☑ | Timelock protection on proxy upgrades |
| ☑ | Reward pool solvent (balance >= sum of pending claims) |
| ☑ | Regular reward deposits (funded system) |
| ☑ | Professional audit report available |
| ☑ | Active community and transparent operations |
| ☑ | Long operational history without incidents |
| ☑ | Reasonable participant count |
Token Cost Breakdown
| PHASE | DESCRIPTION | TOKENS |
|---|---|---|
| Phase 0 | Obtain the Contract (upgrade discovery, bytecode fetch) | 15 tok |
| Phase 1 | Discovery & Understanding (selector diff, new function probing) | 20 tok |
| Phase 2 | Deep Dive Analysis (7 new functions, fee mechanism) | 15 tok |
| Phase 3 | Risk & Trust Analysis (upgrade risks, fee flow, zero distribution) | 10 tok |
| Phase 4 | Documentation Generation (update 6 files + changelog) | 25 tok |
| TOTAL | Contract Analysis Update | 85 tok |
Note: Token costs are estimates based on typical conversation lengths and complexity. This was an update to an existing analysis, not a full from-scratch analysis. Actual consumption may vary by ±10-15% depending on API responses, iterative refinement, and verification steps.