Emanuele RicciEmanuele Ricci

Emanuele Ricci

2 min read

EVM Puzzle 4 solution

This is Part 4 of the “Let’s play EVM Puzzles” series, where I will explain how to solve each puzzle challenge.

EVM Puzzles is a project developed by Franco Victorio (@fvictorio_nan) that a perfect fit if you are in the process of learning how the Ethereum EVM works and you want to apply some of the knowledge you have just acquired.

EVM Puzzle 4

00      34      CALLVALUE
01      38      CODESIZE
02      18      XOR
03      56      JUMP
04      FD      REVERT
05      FD      REVERT
06      FD      REVERT
07      FD      REVERT
08      FD      REVERT
09      FD      REVERT
0A      5B      JUMPDEST
0B      00      STOP

Similar to the previous challenges, we need to find the correct CALLVALUE value to pass to the contract to make the JUMP jump to the valid JUMPDEST opcode at the instruction 10 (0A in hex)

Let's review each opcode before the JUMP:

  • CALLVALUE push in the stack the msg.value in wei passed along the transaction
  • CODESIZE: push in the stack the byte size of the contract's code
  • XOR: pop the first and second element from the stack and perform the bitwise XOR operation between them. The result will be pushed back to the stack.

Remember that the Stack is a LIFO queue, so when the XOR will be applied it would be like this: XOR(CODESIZE, CALLVALUE)


The first valid JUMPDEST operation is at position 10 so XOR(CODESIZE, CALLVALUE) == 10. In our case, CODESIZE is 12 bytes, so we know that XOR(12, CALLVALUE) must equal to 10.

The correct value of CALLVALUE will be 6!

Here's the link to the solution of Puzzle 4 on EVM Codes website to simulate it.