uups-checker 1.0.0

package/alpha-proxy-echidna.txt

@@ -0,0 +1 @@
+zsh: command not found: echidna

package/alpha-proxy-fuzz-results.txt

@@ -0,0 +1,81 @@
+Compiling 1 files with Solc 0.8.33
+Solc 0.8.33 finished in 338.04ms
+Compiler run successful with warnings:
+Warning (3628): This contract has a payable fallback function, but no receive ether function. Consider adding a receive ether function.
+   --> test/AlphaProxyUserExploitFuzz.t.sol:400:1:
+    |
+400 | contract ReentrantAttacker {
+    | ^ (Relevant source part starts here and spans across multiple lines).
+Note: The payable fallback function is defined here.
+   --> test/AlphaProxyUserExploitFuzz.t.sol:413:5:
+    |
+413 |     fallback() external payable {
+    |     ^ (Relevant source part starts here and spans across multiple lines).
+
+Warning (2072): Unused local variable.
+  --> test/AlphaProxyUserExploitFuzz.t.sol:49:10:
+   |
+49 |         (bool success,) = address(proxy).call(data);
+   |          ^^^^^^^^^^^^
+
+Warning (2072): Unused local variable.
+   --> test/AlphaProxyUserExploitFuzz.t.sol:124:10:
+    |
+124 |         (bool success,) = address(proxy).call(data);
+    |          ^^^^^^^^^^^^
+
+Warning (2072): Unused local variable.
+   --> test/AlphaProxyUserExploitFuzz.t.sol:234:10:
+    |
+234 |         (bool success,) = address(proxy).call(data);
+    |          ^^^^^^^^^^^^
+
+Warning (2072): Unused local variable.
+   --> test/AlphaProxyUserExploitFuzz.t.sol:260:10:
+    |
+260 |         (bool success,) = address(proxy).call{value: value}(data);
+    |          ^^^^^^^^^^^^
+
+Warning (2072): Unused local variable.
+   --> test/AlphaProxyUserExploitFuzz.t.sol:294:18:
+    |
+294 |                 (bool success,) = address(proxy).call(calls[i]);
+    |                  ^^^^^^^^^^^^
+
+Warning (2072): Unused local variable.
+   --> test/AlphaProxyUserExploitFuzz.t.sol:326:10:
+    |
+326 |         (bool success,) = address(proxy).call(payload);
+    |          ^^^^^^^^^^^^
+
+Warning (2072): Unused local variable.
+   --> test/AlphaProxyUserExploitFuzz.t.sol:416:14:
+    |
+416 |             (bool success,) = target.call(msg.data);
+    |              ^^^^^^^^^^^^
+
+
+Ran 10 tests for test/AlphaProxyUserExploitFuzz.t.sol:AlphaProxyUserExploitFuzz
+[PASS] testFuzz_ArbitraryCalldata(bytes) (runs: 10000, μ: 15608, ~: 15603)
+[PASS] testFuzz_CalldataLength(uint256) (runs: 10000, μ: 317457, ~: 481416)
+[FAIL: `vm.assume` rejected too many inputs (65536 allowed)] testFuzz_GasGriefing(bytes,uint256) (runs: 3886, μ: 17481, ~: 17476)
+[FAIL: `vm.assume` rejected too many inputs (65536 allowed)] testFuzz_Multicall(bytes[]) (runs: 2385, μ: 24499, ~: 24564)
+[PASS] testFuzz_Reentrancy(bytes4) (runs: 10000, μ: 391107, ~: 391107)
+[PASS] testFuzz_ReturnDataExploit(bytes) (runs: 10000, μ: 14199, ~: 14194)
+[PASS] testFuzz_SelectorBruteforce(bytes4,bytes) (runs: 10000, μ: 15488, ~: 15485)
+[PASS] testFuzz_SignatureMalleability(bytes32,bytes32,uint8,bytes) (runs: 10000, μ: 16091, ~: 16089)
+[FAIL: `vm.assume` rejected too many inputs (65536 allowed)] testFuzz_StorageManipulation(uint256,uint256) (runs: 8405, μ: 15608, ~: 15608)
+[PASS] testFuzz_ValueManipulation(uint256,bytes4) (runs: 10000, μ: 22428, ~: 22428)
+Suite result: FAILED. 7 passed; 3 failed; 0 skipped; finished in 4.59s (11.55s CPU time)
+
+Ran 1 test suite in 4.60s (4.59s CPU time): 7 tests passed, 3 failed, 0 skipped (10 total tests)
+
+Failing tests:
+Encountered 3 failing tests in test/AlphaProxyUserExploitFuzz.t.sol:AlphaProxyUserExploitFuzz
+[FAIL: `vm.assume` rejected too many inputs (65536 allowed)] testFuzz_GasGriefing(bytes,uint256) (runs: 3886, μ: 17481, ~: 17476)
+[FAIL: `vm.assume` rejected too many inputs (65536 allowed)] testFuzz_Multicall(bytes[]) (runs: 2385, μ: 24499, ~: 24564)
+[FAIL: `vm.assume` rejected too many inputs (65536 allowed)] testFuzz_StorageManipulation(uint256,uint256) (runs: 8405, μ: 15608, ~: 15608)
+
+Encountered a total of 3 failing tests, 7 tests succeeded
+
+Tip: Run `forge test --rerun` to retry only the 3 failed tests

package/alpha-proxy-mythril.txt

@@ -0,0 +1,2 @@
+The analysis was completed successfully. No issues were detected.
+

package/analyze-btcst-farm.js

@@ -0,0 +1,54 @@
+const { ethers } = require('ethers');
+
+const RPC = 'https://bsc-dataseed1.binance.org';
+const provider = new ethers.providers.JsonRpcProvider(RPC);
+
+const BTCST_PROXY = '0x78650B139471520656b9E7aA7A5e9276814a38e9';
+
+// ABI for reading farm contract
+const btcstABI = [
+    'function _farmContract() view returns (address)',
+    'function owner() view returns (address)',
+    'function balanceOf(address) view returns (uint256)',
+    'function decimals() view returns (uint8)',
+    'function totalSupply() view returns (uint256)'
+];
+
+async function main() {
+    console.log('🔍 BTCST Farm & Rebase Analysis\n');
+    
+    const btcst = new ethers.Contract(BTCST_PROXY, btcstABI, provider);
+    
+    try {
+        const farmAddress = await btcst._farmContract();
+        console.log('✅ Farm Contract Address:', farmAddress);
+        
+        // Check if farm has code
+        const farmCode = await provider.getCode(farmAddress);
+        console.log('Farm Has Code:', farmCode !== '0x');
+        console.log('Farm Code Length:', farmCode.length, 'bytes\n');
+        
+        // Check farm balance
+        const farmBalance = await btcst.balanceOf(farmAddress);
+        console.log('Farm BTCST Balance:', ethers.utils.formatUnits(farmBalance, 17), 'BTCST');
+        
+        // Check farm BNB balance
+        const farmBNB = await provider.getBalance(farmAddress);
+        console.log('Farm BNB Balance:', ethers.utils.formatEther(farmBNB), 'BNB\n');
+        
+        // Get owner balance
+        const owner = await btcst.owner();
+        const ownerBalance = await btcst.balanceOf(owner);
+        console.log('Owner Address:', owner);
+        console.log('Owner BTCST Balance:', ethers.utils.formatUnits(ownerBalance, 17), 'BTCST\n');
+        
+        // Get total supply
+        const totalSupply = await btcst.totalSupply();
+        console.log('Total Supply:', ethers.utils.formatUnits(totalSupply, 17), 'BTCST');
+        
+    } catch (e) {
+        console.log('❌ Error reading farm contract:', e.message);
+    }
+}
+
+main().catch(console.error);

package/analyze-dxsale-lock.js

@@ -0,0 +1,75 @@
+const { ethers } = require('ethers');
+
+async function main() {
+    const provider = new ethers.providers.JsonRpcProvider('https://bsc-dataseed.binance.org/');
+    
+    const lockAddr = '0x2d045410f002a95efcee67759a92518fa3fce677';
+    const catgirl = '0x79ebc9a2ce02277a4b5b3a768b1c0a4ed75bd936';
+    
+    console.log('=== DXSALE LOCK CONTRACT ANALYSIS ===\n');
+    console.log('Address:', lockAddr);
+    
+    // Get contract code
+    const code = await provider.getCode(lockAddr);
+    console.log('Bytecode length:', code.length);
+    console.log('Contract is UNVERIFIED\n');
+    
+    // Try to read storage slots
+    console.log('=== STORAGE ANALYSIS ===');
+    for (let i = 0; i < 10; i++) {
+        const slot = await provider.getStorageAt(lockAddr, i);
+        console.log(`STORAGE[${i}]:`, slot);
+    }
+    
+    // Check lock fees by calling the contract
+    console.log('\n=== TRYING TO READ LOCK FEES ===');
+    try {
+        const feeSlot = await provider.getStorageAt(lockAddr, 3);
+        const fees = ethers.BigNumber.from(feeSlot);
+        console.log('Lock fees (slot 3):', ethers.utils.formatEther(fees), 'BNB');
+    } catch (e) {
+        console.log('Could not read fees:', e.message);
+    }
+    
+    // Try calling lockTokens with 0 value to see error message
+    console.log('\n=== TESTING LOCK FUNCTION ===');
+    const testWallet = ethers.Wallet.createRandom().connect(provider);
+    
+    try {
+        await testWallet.call({
+            to: lockAddr,
+            data: ethers.utils.id('lockTokens(address,uint256,uint256,uint256,bytes)').slice(0, 10),
+            value: 0
+        });
+    } catch (e) {
+        console.log('Error message:', e.message);
+        if (e.message.includes('locking fees')) {
+            console.log('✓ Confirmed: Contract requires locking fees');
+        }
+    }
+    
+    // Check who owns locks
+    console.log('\n=== CHECKING LOCK OWNERS ===');
+    const tokenAbi = ['function balanceOf(address) view returns (uint256)'];
+    const token = new ethers.Contract(catgirl, tokenAbi, provider);
+    const balance = await token.balanceOf(lockAddr);
+    console.log('Total CATGIRL locked:', ethers.utils.formatEther(balance));
+    
+    // Try to find lock data by reading mappings
+    console.log('\n=== ATTEMPTING TO READ LOCK DATA ===');
+    // mapping(address => mapping(uint256 => LockInfo)) at slot 5
+    const testAddr = '0x0000000000000000000000000000000000000001';
+    const lockId = 0;
+    
+    // Calculate mapping slot: keccak256(lockId . keccak256(address . slot))
+    const innerHash = ethers.utils.keccak256(
+        ethers.utils.defaultAbiCoder.encode(['address', 'uint256'], [testAddr, 5])
+    );
+    const outerHash = ethers.utils.keccak256(
+        ethers.utils.defaultAbiCoder.encode(['uint256', 'bytes32'], [lockId, innerHash])
+    );
+    
+    console.log('Calculated lock storage slot:', outerHash);
+}
+
+main().catch(console.error);

package/analyze-elephant.js

@@ -0,0 +1,69 @@
+const { ethers } = require('ethers');
+
+const provider = new ethers.providers.JsonRpcProvider('https://bsc-dataseed1.binance.org');
+const address = '0xe283d0e3b8c102badf5e8166b73e02d96d92f688';
+
+const abi = [
+  'function name() view returns (string)',
+  'function symbol() view returns (string)',
+  'function decimals() view returns (uint8)',
+  'function totalSupply() view returns (uint256)',
+  'function balanceOf(address) view returns (uint256)',
+  'function owner() view returns (address)',
+  'function _taxFee() view returns (uint256)',
+  'function _liquidityFee() view returns (uint256)',
+  'function _maxTxAmount() view returns (uint256)',
+  'function isExcludedFromFee(address) view returns (bool)',
+  'function isExcludedFromReward(address) view returns (bool)'
+];
+
+const contract = new ethers.Contract(address, abi, provider);
+
+async function main() {
+  console.log('=== ELEPHANT Deep Analysis ===\n');
+  
+  const name = await contract.name();
+  const symbol = await contract.symbol();
+  const decimals = await contract.decimals();
+  const supply = await contract.totalSupply();
+  const owner = await contract.owner();
+  
+  console.log('Name:', name);
+  console.log('Symbol:', symbol);
+  console.log('Decimals:', decimals);
+  console.log('Total Supply:', ethers.utils.formatUnits(supply, decimals));
+  console.log('Owner:', owner);
+  
+  try {
+    const taxFee = await contract._taxFee();
+    console.log('\nTax Fee:', taxFee.toString(), '%');
+  } catch (e) {
+    console.log('No _taxFee function');
+  }
+  
+  try {
+    const liqFee = await contract._liquidityFee();
+    console.log('Liquidity Fee:', liqFee.toString(), '%');
+  } catch (e) {
+    console.log('No _liquidityFee function');
+  }
+  
+  try {
+    const maxTx = await contract._maxTxAmount();
+    console.log('Max TX Amount:', ethers.utils.formatUnits(maxTx, decimals));
+  } catch (e) {
+    console.log('No _maxTxAmount function');
+  }
+  
+  // Check owner balance
+  const ownerBalance = await contract.balanceOf(owner);
+  console.log('\nOwner Balance:', ethers.utils.formatUnits(ownerBalance, decimals));
+  console.log('Owner %:', (parseFloat(ethers.utils.formatUnits(ownerBalance, decimals)) / parseFloat(ethers.utils.formatUnits(supply, decimals)) * 100).toFixed(2), '%');
+  
+  // Get bytecode
+  const code = await provider.getCode(address);
+  console.log('\nBytecode size:', code.length, 'bytes');
+  console.log('This is a LARGE contract - likely reflection token with fees');
+}
+
+main().catch(console.error);

package/analyze-fara-rewards.js

@@ -0,0 +1,109 @@
+const { ethers } = require('ethers');
+
+// BSC RPC
+const provider = new ethers.providers.JsonRpcProvider('https://bsc-dataseed.binance.org');
+
+const STAKING_CONTRACT = '0x107E5696fAc55207DFC05C071404C31CEc57d47A';
+const FARA_TOKEN = '0xF4Ed363144981D3A65f42e7D0DC54FF9EEf559A1';
+const REAL_USER = '0xc75124Cc9d40d7f53FB05B5f8CC13638EfD869fE';
+
+async function analyzeRewards() {
+    console.log('=== ANALYZING FARA REWARD CALCULATION ===\n');
+    
+    // Get the transaction that had the massive reward
+    // TX4 hash from the logs (need to find it)
+    
+    // Analyze the periodId values:
+    const tx2PeriodId = BigInt('5768');
+    const tx4PeriodId = BigInt('2348722764634508715752853');
+    
+    console.log('TX2 periodId:', tx2PeriodId.toString());
+    console.log('TX4 periodId:', tx4PeriodId.toString());
+    console.log('PeriodId ratio:', (tx4PeriodId / tx2PeriodId).toString());
+    
+    // The periodId in TX4 is INSANELY large
+    // This suggests either:
+    // 1. Integer overflow in periodId calculation
+    // 2. Bug in how periodId is calculated
+    // 3. Exploit where user manipulated periodId
+    
+    console.log('\n=== CHECKING STAKING CONTRACT STATE ===\n');
+    
+    // Try to read contract storage
+    const code = await provider.getCode(STAKING_CONTRACT);
+    console.log('Contract code length:', code.length);
+    
+    // Check FARA token balance
+    const faraAbi = ['function balanceOf(address) view returns (uint256)'];
+    const faraToken = new ethers.Contract(FARA_TOKEN, faraAbi, provider);
+    
+    const stakingBalance = await faraToken.balanceOf(STAKING_CONTRACT);
+    console.log('Staking contract FARA balance:', ethers.utils.formatEther(stakingBalance), 'FARA');
+    
+    const userBalance = await faraToken.balanceOf(REAL_USER);
+    console.log('User FARA balance:', ethers.utils.formatEther(userBalance), 'FARA');
+    
+    // Try to call view functions
+    const stakingAbi = [
+        'function _stakingBalances(address) view returns (uint256)',
+        'function _isStopped() view returns (bool)',
+        'function _totalStaked() view returns (uint256)',
+        'function _weightedTotalStaked() view returns (uint256)'
+    ];
+    
+    const staking = new ethers.Contract(STAKING_CONTRACT, stakingAbi, provider);
+    
+    try {
+        const userStake = await staking._stakingBalances(REAL_USER);
+        console.log('User staking balance:', ethers.utils.formatEther(userStake), 'FARA');
+    } catch (e) {
+        console.log('Could not read _stakingBalances');
+    }
+    
+    try {
+        const isStopped = await staking._isStopped();
+        console.log('Contract stopped:', isStopped);
+    } catch (e) {
+        console.log('Could not read _isStopped');
+    }
+    
+    try {
+        const totalStaked = await staking._totalStaked();
+        console.log('Total staked:', ethers.utils.formatEther(totalStaked), 'FARA');
+    } catch (e) {
+        console.log('Could not read _totalStaked');
+    }
+    
+    try {
+        const weightedTotal = await staking._weightedTotalStaked();
+        console.log('Weighted total staked:', ethers.utils.formatEther(weightedTotal), 'FARA');
+    } catch (e) {
+        console.log('Could not read _weightedTotalStaked');
+    }
+    
+    console.log('\n=== REWARD CALCULATION ANALYSIS ===\n');
+    
+    // The rewards:
+    const tx2Reward = BigInt('2366408571946386');
+    const tx4Reward = BigInt('568003350439294342325');
+    
+    console.log('TX2 reward:', ethers.utils.formatEther(tx2Reward), 'FARA');
+    console.log('TX4 reward:', ethers.utils.formatEther(tx4Reward), 'FARA');
+    console.log('Reward ratio:', (tx4Reward * BigInt(1000) / tx2Reward).toString() + 'x');
+    
+    // If reward is calculated as: balance * periodId * rate
+    // And periodId overflowed, this could explain the massive reward
+    
+    console.log('\n=== POTENTIAL EXPLOIT ===\n');
+    console.log('If periodId calculation has integer overflow:');
+    console.log('1. Attacker stakes tokens');
+    console.log('2. Waits for periodId to overflow');
+    console.log('3. Claims rewards with massive periodId');
+    console.log('4. Drains contract');
+    
+    // Check if there are enough tokens in contract to drain
+    console.log('\nTokens available to drain:', ethers.utils.formatEther(stakingBalance), 'FARA');
+    console.log('Value at $0.01/FARA:', (Number(ethers.utils.formatEther(stakingBalance)) * 0.01).toFixed(2), 'USD');
+}
+
+analyzeRewards().catch(console.error);

package/analyze-fara-storage.js

@@ -0,0 +1,83 @@
+const { ethers } = require('ethers');
+
+const RPC = 'https://bsc-dataseed.binance.org';
+const provider = new ethers.providers.JsonRpcProvider(RPC);
+
+const STAKING_CONTRACT = '0x107E5696fAc55207DFC05C071404C31CEc57d47A';
+
+async function analyzeStorage() {
+    console.log('=== ANALYZING FARA STAKING STORAGE ===\n');
+    
+    const slot0 = await provider.getStorageAt(STAKING_CONTRACT, 0);
+    const slot1 = await provider.getStorageAt(STAKING_CONTRACT, 1);
+    const slot2 = await provider.getStorageAt(STAKING_CONTRACT, 2);
+    const slot3 = await provider.getStorageAt(STAKING_CONTRACT, 3);
+    const slot4 = await provider.getStorageAt(STAKING_CONTRACT, 4);
+    const slot5 = await provider.getStorageAt(STAKING_CONTRACT, 5);
+    const slot6 = await provider.getStorageAt(STAKING_CONTRACT, 6);
+    const slot7 = await provider.getStorageAt(STAKING_CONTRACT, 7);
+    
+    console.log('Slot 0 (owner):', slot0);
+    console.log('  -> Address:', '0x' + slot0.slice(26));
+    
+    console.log('\nSlot 1:', slot1);
+    
+    console.log('\nSlot 2 (reward pool):', slot2);
+    console.log('  -> Address:', '0x' + slot2.slice(26));
+    
+    console.log('\nSlot 3:', slot3);
+    console.log('  -> As uint256:', BigInt(slot3).toString());
+    console.log('  -> In ether:', ethers.utils.formatEther(BigInt(slot3)));
+    
+    console.log('\nSlot 4:', slot4);
+    console.log('  -> As uint256:', BigInt(slot4).toString());
+    
+    console.log('\nSlot 5 (FUTURE TIMESTAMP!):', slot5);
+    const timestamp5 = Number(BigInt(slot5));
+    console.log('  -> As uint256:', timestamp5);
+    console.log('  -> As timestamp:', new Date(timestamp5 * 1000).toISOString());
+    console.log('  -> Days from now:', Math.floor((timestamp5 - Date.now()/1000) / 86400));
+    
+    console.log('\nSlot 6:', slot6);
+    console.log('  -> As uint256:', BigInt(slot6).toString());
+    
+    console.log('\nSlot 7:', slot7);
+    console.log('  -> As uint256:', BigInt(slot7).toString());
+    
+    // Current time
+    const now = Math.floor(Date.now() / 1000);
+    console.log('\n=== TIME ANALYSIS ===');
+    console.log('Current timestamp:', now);
+    console.log('Current date:', new Date().toISOString());
+    console.log('Slot 5 timestamp:', timestamp5);
+    console.log('Slot 5 date:', new Date(timestamp5 * 1000).toISOString());
+    
+    // If there's a calculation like (slot5 - currentTime), it would be positive
+    // But if there's (currentTime - slot5), it would UNDERFLOW!
+    
+    console.log('\n=== UNDERFLOW CALCULATION ===');
+    console.log('If contract calculates: (currentTime - slot5)');
+    console.log('  currentTime:', now);
+    console.log('  slot5:', timestamp5);
+    console.log('  Difference:', now - timestamp5, '(NEGATIVE!)');
+    
+    // In Solidity, this would underflow to:
+    const underflowResult = BigInt(now) - BigInt(timestamp5);
+    console.log('  As uint256 (underflow):', underflowResult.toString());
+    
+    // This matches the pattern! The periodId was 2,348,722,764,634,508,715,752,853
+    // Let's see if we can derive this
+    
+    const exploitPeriodId = BigInt('2348722764634508715752853');
+    console.log('\n=== MATCHING EXPLOIT PATTERN ===');
+    console.log('Exploit periodId:', exploitPeriodId.toString());
+    console.log('Our underflow:', underflowResult.toString());
+    
+    // The periodId might be: (underflow * multiplier) or (underflow / divisor)
+    if (underflowResult < 0) {
+        const absUnderflow = -underflowResult;
+        console.log('Ratio (exploit / underflow):', Number(exploitPeriodId / BigInt(absUnderflow)));
+    }
+}
+
+analyzeStorage().catch(console.error);

package/analyze-lft-transaction.js

@@ -0,0 +1,158 @@
+const { ethers } = require('ethers');
+
+const provider = new ethers.providers.JsonRpcProvider('https://eth-mainnet.g.alchemy.com/v2/5IWkkFu-rS6plYHO9MLq-');
+
+// From the transaction logs
+const LFT_TOKEN = '0xb620be8a1949aa9532e6a3510132864ef9bc3f82';
+const UNISWAP_PAIR = '0x9c84f58bb51fabd18698efe95f5bab4f33e96e8f'; // Uniswap V2: LFT 2
+const SELLER = '0xb837c86126AFD947F9eB20253810bB4b9a906109';
+const OKX_AGGREGATOR = '0x5E1f62Dac767b0491e3CE72469C217365D5B48cC'; // OKX Labs 1
+
+// Transaction details from logs
+const LFT_SOLD = '41007385950162107727'; // ~41 LFT
+const ETH_RECEIVED = '7529356701113'; // ~0.0000075 ETH
+
+async function analyzeTransaction() {
+    console.log('=== LFT TRANSACTION DEEP ANALYSIS ===\n');
+    
+    console.log('Transaction Flow:');
+    console.log('1. Seller:', SELLER);
+    console.log('2. Aggregator:', OKX_AGGREGATOR);
+    console.log('3. Uniswap Pair:', UNISWAP_PAIR);
+    console.log('4. LFT Sold:', ethers.utils.formatEther(LFT_SOLD), 'LFT');
+    console.log('5. ETH Received:', ethers.utils.formatEther(ETH_RECEIVED), 'ETH\n');
+    
+    // Key observation from logs
+    console.log('=== KEY OBSERVATIONS ===\n');
+    
+    console.log('Event #9: Transfer FROM Uniswap Pair TO Seller');
+    console.log('  From: 0x9c84f58BB51FabD18698efE95F5bAb4F33E96E8f (Uniswap Pair)');
+    console.log('  To: 0xb837c86126AFD947F9eB20253810bB4b9a906109 (Seller)');
+    console.log('  Amount:', ethers.utils.formatEther(LFT_SOLD), 'LFT\n');
+    
+    console.log('This means:');
+    console.log('- LFT tokens were TRANSFERRED FROM the Uniswap pair');
+    console.log('- This is a SELL transaction (user selling LFT for ETH)');
+    console.log('- The transfer function was called with:');
+    console.log('    from: 0x9c84f58BB51FabD18698efE95F5bAb4F33E96E8f');
+    console.log('    to: 0xb837c86126AFD947F9eB20253810bB4b9a906109\n');
+    
+    // Check the transfer restriction
+    console.log('=== TRANSFER RESTRICTION ANALYSIS ===\n');
+    
+    console.log('From decompiled code:');
+    console.log('if (0x9c84f58bb51fabd18698efe95f5bab4f33e96e8f == varg1) {');
+    console.log('    require(address(0x2caa8387030af8fd61c59eee88341dc590883496) == tx.origin,');
+    console.log('            Error("Insufficient gas fees"));');
+    console.log('}\n');
+    
+    console.log('The restriction checks:');
+    console.log('- IF recipient (to) == 0x9c84f58BB51FabD18698efE95F5bAb4F33E96E8f');
+    console.log('- THEN tx.origin MUST be 0x2caa8387030af8fd61c59eee88341dc590883496\n');
+    
+    console.log('In this transaction:');
+    console.log('- Recipient (to): 0xb837c86126AFD947F9eB20253810bB4b9a906109');
+    console.log('- NOT equal to restricted address');
+    console.log('- Therefore: NO RESTRICTION APPLIED ✅\n');
+    
+    console.log('=== THE BACKDOOR MECHANISM ===\n');
+    
+    console.log('The backdoor has TWO parts:\n');
+    
+    console.log('Part 1: balanceOf() Hidden Balance');
+    console.log('- Hidden address: 0x2caa8387030af8fd61c59eee88341dc590883496');
+    console.log('- Returns 0 to normal callers');
+    console.log('- Returns real balance to Uniswap Router');
+    console.log('- Purpose: Hide massive token supply\n');
+    
+    console.log('Part 2: transfer() Restriction');
+    console.log('- Restricted recipient: 0x9c84f58BB51FabD18698efE95F5bAb4F33E96E8f');
+    console.log('- Only hidden address can send TO this address');
+    console.log('- Purpose: UNKNOWN - possibly honeypot or special wallet\n');
+    
+    console.log('=== WHY USERS CAN STILL SELL ===\n');
+    
+    console.log('Normal users CAN sell because:');
+    console.log('1. They are NOT sending TO the restricted address');
+    console.log('2. They are selling FROM the Uniswap pair');
+    console.log('3. The restriction only applies to transfers TO 0x9c84...6e8f');
+    console.log('4. Normal sells go FROM pair TO user (opposite direction)\n');
+    
+    console.log('The scammer CAN dump because:');
+    console.log('1. Hidden address has 4.9 QUADRILLION LFT');
+    console.log('2. Uniswap Router can see this balance');
+    console.log('3. Scammer can sell TO Uniswap pair (not restricted)');
+    console.log('4. Only transfers TO 0x9c84...6e8f are restricted\n');
+    
+    // Check current state
+    console.log('=== CURRENT STATE CHECK ===\n');
+    
+    const lft = new ethers.Contract(LFT_TOKEN, [
+        'function balanceOf(address) view returns (uint256)',
+        'function totalSupply() view returns (uint256)'
+    ], provider);
+    
+    // Check Uniswap pair reserves
+    const pairBalance = await lft.balanceOf(UNISWAP_PAIR);
+    console.log('Uniswap Pair Balance:', ethers.utils.formatEther(pairBalance), 'LFT');
+    
+    // Check total supply
+    const totalSupply = await lft.totalSupply();
+    console.log('Total Supply:', ethers.utils.formatEther(totalSupply), 'LFT');
+    
+    // Check hidden address (as router)
+    const HIDDEN_ADDR = '0x2caa8387030af8fd61c59eee88341dc590883496';
+    const UNISWAP_ROUTER = '0x7a250d5630b4cf539739df2c5dacb4c659f2488d';
+    
+    const hiddenBalance = await provider.call({
+        to: LFT_TOKEN,
+        from: UNISWAP_ROUTER,
+        data: lft.interface.encodeFunctionData('balanceOf', [HIDDEN_ADDR])
+    });
+    const decoded = lft.interface.decodeFunctionResult('balanceOf', hiddenBalance);
+    console.log('Hidden Address Balance:', ethers.utils.formatEther(decoded[0]), 'LFT\n');
+    
+    // Calculate price
+    const price = parseFloat(ethers.utils.formatEther(ETH_RECEIVED)) / parseFloat(ethers.utils.formatEther(LFT_SOLD));
+    console.log('=== PRICE ANALYSIS ===\n');
+    console.log('Current Price:', price.toExponential(4), 'ETH per LFT');
+    console.log('Current Price:', (price * 3000).toExponential(4), 'USD per LFT (assuming ETH = $3000)\n');
+    
+    // Calculate dump impact
+    const hiddenValue = decoded[0];
+    const potentialETH = hiddenValue.mul(ethers.utils.parseEther(price.toString())).div(ethers.utils.parseEther('1'));
+    console.log('If scammer dumps all hidden tokens:');
+    console.log('- Hidden tokens:', ethers.utils.formatEther(hiddenValue), 'LFT');
+    console.log('- At current price:', ethers.utils.formatEther(potentialETH), 'ETH');
+    console.log('- USD value:', parseFloat(ethers.utils.formatEther(potentialETH)) * 3000, 'USD');
+    console.log('- Reality: Would drain ALL liquidity, price would crash to 0\n');
+    
+    console.log('=== THE REAL BACKDOOR ===\n');
+    
+    console.log('The backdoor is NOT about preventing sells.');
+    console.log('The backdoor is about:');
+    console.log('1. HIDING 99.97% of token supply from view');
+    console.log('2. Making it INVISIBLE to Etherscan and users');
+    console.log('3. Allowing scammer to DUMP anytime via Uniswap');
+    console.log('4. Creating FALSE sense of scarcity\n');
+    
+    console.log('The restricted address 0x9c84...6e8f is:');
+    console.log('- The Uniswap V2 pair itself!');
+    console.log('- Restriction prevents SENDING TO the pair from non-hidden addresses');
+    console.log('- But Uniswap swaps work differently (pair sends to user)\n');
+    
+    console.log('Wait... let me check this more carefully...\n');
+    
+    // Check if restricted address is the pair
+    if (UNISWAP_PAIR.toLowerCase() === '0x9c84f58bb51fabd18698efe95f5bab4f33e96e8f'.toLowerCase()) {
+        console.log('⚠️  CRITICAL DISCOVERY!');
+        console.log('The restricted address IS the Uniswap pair!');
+        console.log('This means:');
+        console.log('- Only hidden address can ADD LIQUIDITY');
+        console.log('- Only hidden address can SEND tokens TO pair');
+        console.log('- Normal users CANNOT add liquidity');
+        console.log('- But users CAN still buy/sell (pair sends to them)\n');
+    }
+}
+
+analyzeTransaction().catch(console.error);