Quadriga Initiative Logo.png

QUADRIGA INITIATIVE

CRYPTO WATCHDOG & FRAUD RECOVERY PLATFORM

A COMMUNITY-BASED, NOT-FOR-PROFIT

$89 000 USD

SEPTEMBER 2025

GLOBAL

UNKNOWN

DESCRIPTION OF EVENTS

An unverified smart contract was launched on the Base blockchain on August 28th, 2025.

 

This invokes code in another smart contract via a delegatecall.

 

Unfortunately, the smart contract was launched with a vulnerability where the uniswapV3Callback function lacked access control.

 

According to an initial analysis by TenArmor, "[i]t appears that the uniswapV3SwapCallback function of the contract 0x1d9e lacks access control, which was exploited by the attacker."

 

TenArmor has reported that there was "an approximately loss of $88.9K".

 

The incident was reported by TenArmor and researcher Weilin (William) Li.

 

It appears that the incident was included in the Blockthreat report for Week 36 of 2025.

 

There is limited information available about the smart contract, and no suggestion that any recovery is presently being attempted.

 

It's unclear which project is behind this address, and whether any investigation is underway.

On August 28th, 2025, an unverified smart contract was deployed on the Base blockchain containing a critical vulnerability: the uniswapV3SwapCallback function lacked proper access control. This allowed an attacker to exploit the contract using a delegatecall to another contract, resulting in a reported loss of approximately $88.9K. The incident was first analyzed and reported by TenArmor and researcher Weilin (William) Li, and later included in Blockthreat’s Week 36 report. The responsible project remains unidentified, and there is currently no indication of an ongoing investigation or recovery efforts.

TenArmor - "Our system has detected a suspicious attack involving #unverified contract 0x46cbe on #BASE, resulting in an approximately loss of $88.9K." - Twitter/X (Sep 19)
Attack Transaction - BaseScan (Sep 19)
Weilin (William) Li - "yet another uniswapV3Callback lacking access control." - Twitter/X (Sep 19)
BlockThreat - Week 36, 2025 (Sep 19)
Transaction details - Blockscout (Sep 19)
Victim Smart Contract - BaseScan (Sep 19)
Victim Smart Contract Creation Transaction - BaseScan (Sep 19)
Vulnerable Smart Contract - BaseScan (Sep 19)
Creation Of Delegated Smart Contract - BaseScan (Sep 19)

Sources And Further Reading

More case studies

HMS HMagician Smart Contract
Burn Mechanism Exploited

Bunni Rounding Vulnerability
Enables Complex Flashloan Attack

 For questions or enquiries, email info@quadrigainitiative.com.

Get Social

  • email
  • reddit
  • telegram
  • Twitter

© 2019 - 2025 Quadriga Initiative. Your use of this site/service accepts the Terms of Use and Privacy Policy. This site is not associated with Ernst & Young, Miller Thompson, or the Official Committee of Affected Users. Hosted in Canada by HosterBox.