QUADRIGA INITIATIVE
CRYPTO WATCHDOG & FRAUD RECOVERY PLATFORM
A COMMUNITY-BASED, NOT-FOR-PROFIT
$40 000 USD
AUGUST 2025
GLOBAL
UNISWAP
DESCRIPTION OF EVENTS
Uniswap is a decentralized exchange (DEX) protocol built on Ethereum and other EVM-compatible blockchains that enables users to trade cryptocurrencies directly from their wallets without the need for intermediaries. It uses a unique automated market maker (AMM) model, where liquidity providers deposit token pairs into liquidity pools, and traders interact with those pools to execute swaps. Instead of relying on a traditional order book, Uniswap determines pricing through a mathematical formula that balances the ratio of tokens in the pool. This allows for continuous, permissionless trading and deep liquidity across a wide range of token pairs.
Uniswap V3, the third major version of the protocol, introduced several advanced features, including concentrated liquidity and multiple fee tiers. Concentrated liquidity allows liquidity providers to allocate their capital within specific price ranges, increasing capital efficiency and improving returns. Additionally, the protocol is modular, with a core set of smart contracts that handle pool logic and a periphery set that manages user-friendly routing and interface functions. Uniswap is widely used across DeFi for swaps, arbitrage, liquidity provision, and integration into other DeFi platforms, making it one of the most influential protocols in the ecosystem.
Unfortunately, any smart contract with insecure access restrictions can be vulnerable to be exploited.
The exploit of contract 0x8d2e on Base chain highlights a recurring security flaw in Uniswap V3 integrations—improper or missing access control on the uniswapV3SwapCallback function. This callback is a required part of the Uniswap V3 protocol; it gets called by the pool after a swap() function is invoked, expecting the calling contract to transfer the owed token amounts. However, because this function can be externally triggered, failing to restrict who can call it opens the door to direct manipulation. In this case, the attacker likely invoked uniswapV3SwapCallback with carefully crafted calldata, simulating a legitimate swap to trick the victim contract into transferring funds.
Historically, developers attempted to secure uniswapV3SwapCallback by hardcoding known Uniswap V3 pool addresses and checking that only these pools could invoke the callback. But that approach is fragile: pools can be forked, misconfigured, or spoofed, and hardcoding values doesn't scale or adapt well to ecosystem changes. Worse, it gives a false sense of security. In the 0x8d2e case, the contract included some form of validation, but the logic was either flawed or insufficiently enforced, allowing the attacker to simulate a valid call and drain around $40,000.
The broader issue here is a design pattern that fails to account for the trust boundaries in DeFi. While Uniswap V3 gives developers flexibility, it assumes implementers will enforce strict controls in their uniswapV3SwapCallback logic. When they don't—whether due to oversight or incorrect assumptions—the results are catastrophic. In this instance, what may have seemed like a reasonable design backfired entirely. The attacker didn’t break the rules—they simply played by the ones left exposed. Going forward, developers must validate the msg.sender as a known, trusted pool created by the Uniswap V3 factory and rigorously verify swap parameters to ensure they match expectations. Anything less is an open invitation for exploits.
Losses were analyzed as $40k by SuplabsYi. This matches with the blockchain transaction indicating that $40k worth of USDC were transfered.
It is unclear who runs this smart contract. The incident was reported on by at least 3 separate security firms.
There does not appear to be any formal investigation underway.
There is no evidence that any recovery is possible.
This situation could develop further if the perpetrator is identified.
A recent exploit on the Base chain targeted a smart contract at address 0x8d2e, resulting in a $40,000 loss in USDC due to improper access control on the uniswapV3SwapCallback function. This function is a core part of Uniswap V3’s architecture and must be secured to ensure only trusted Uniswap pools can invoke it. In this case, the attacker exploited weak validation logic—likely simulating a valid callback—to trick the contract into releasing funds. Although some protections may have been in place, they were ineffective, reflecting a broader trend of inadequate safeguards around Uniswap V3 integrations. The exploit was confirmed by multiple security firms and reported by SuplabsYi. There’s currently no evidence of recovery or formal investigation, and the contract’s owner remains unknown.
TenArmor - "Another two hacks: The victim contract 0x8d2e was exploited due to missing access control in the uniswapV3SwapCallback function. Someone approved tokens to the Multicall3 contract, resulting in the tokens being drained." - Twitter/X (Aug 21)
Hklst4r - "Another uniswap V3 unprotected callback hack. base chain" - Twitter/X (Aug 21)
SuplabsYi - "Looks like another uniswapV3SwapCallback-related hack, with a total loss of $40,000. The root cause? The access control mechanism for uniswapV3SwapCallback is pretty weak, letting malicious actors manipulate data and bypass the controls." - Twitter/X (Aug 21)
IUniswapV3SwapCallback — Uniswap Docs (Aug 21)
IUniswapV3PoolActions - Uniswap Docs (Aug 21)
SwapRouter Interface - Uniswap Docs (Aug 21)
Introduction to the Uniswap Protocol - Uniswap Docs (Aug 21)
Uniswap V3 Core Whitepaper (Aug 21)
