Unknown Contract uniswapV3SwapCallback Lacks Access Control

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Jump to navigation Jump to search

Notice: This page is a freshly imported case study from an original repository. While the original content had a similar format, some sections may not have been fully completed. Please help fill in any empty sections or any missing information you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

Base Blockchain Logo/Homepage

A base blockchain wallet was exploited due to a vulnerability in its smart contract, specifically a lack of access control on the uniswapV3SwapCallback() function. This flaw allowed attackers to easily exploit the contract, resulting in an estimated loss of $62.3k USD, as reported by TenArmor. Little is known about the contract’s origin or creator, and no investigation or recovery effort has been identified, making the loss likely permanent.[1][2][3][4][5][6]

About Unverified Contract

The victim wallet appears to be at address 0xddddf3d84a1e94036138cab7ff35d003c1207a77. This was originally funded on March 22nd, 2025.

The Reality

Unfortunately, there was a vulnerability where the uniswapV3SwapCallback function lacked proper access control.

What Happened

A smart contract at a base wallet was exploited in April 2025 due to missing access controls on the uniswapV3SwapCallback() function, resulting in a likely permanent loss of $62.3k USD.

Key Event Timeline - Unknown Contract uniswapV3SwapCallback Lacks Access Control
Date Event Description
March 22nd, 2025 11:49:57 AM MDT Victim Wallet Created The first funding of the victim wallet on Ethereum.
April 11th, 2025 5:38:47 AM MDT Attack On Base Blockchain The attack transaction is accepted by miners on the Base blockchain.
April 11th, 2025 5:53:00 AM MDT Attack Reported By TenArmor The attack is reported by TenArmor in a new public tweet.

Technical Details

Losses have been attributed to a lack of access control on the uniswapV3SwapCallback() function. The victim contract "was therefore easily exploited".

Total Amount Lost

TenArmor has provided a loss total of $62.3k USD.

The total amount lost has been estimated at $62,000 USD.

Immediate Reactions

Very few details are known about this smart contract, transaction, or who created it. Only TenArmor has posted details of this transaction.

Ultimate Outcome

There does not appear to have been any sort of investigation or potential recovery launched.

Total Amount Recovered

It is unclear if there has been any recovery in this case.

There do not appear to have been any funds recovered in this case.

Ongoing Developments

This incident is likely a permanent loss.

Individual Prevention Policies

No specific policies for individual prevention have yet been identified in this case.

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

Policies for platforms to take to prevent this situation have not yet been selected in this case.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

No specific regulatory policies have yet been identified in this case.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. TenArmor - "Our system has detected a suspicious attack involving an unverified contract on #BASE, resulting in an approximately loss of $62.3K." - Twitter/X (Accessed Aug 7, 2025)
  2. Attack Transaction - BaseScan (Accessed Aug 7, 2025)
  3. Malicious Smart Contract In Attack - BaseScan (Accessed Aug 7, 2025)
  4. Creation Of Attack Contract - BaseScan (Accessed Aug 7, 2025)
  5. Source Of Funds And Suspected Victim Wallet - BaseScan (Accessed Aug 7, 2025)
  6. Victim Address Initially Funded With 0.0005 ETH From ByBit - BaseScan (Accessed Aug 7, 2025)
Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=Unknown_Contract_uniswapV3SwapCallback_Lacks_Access_Control&oldid=6888"