QI Quadriga Initiative

Sep 2025 - Unverified Contract uniswapV3Callback Lacking Access Control - $89k (Global)

An unverified smart contract was launched on the Base blockchain on August 28th, 2025.

This invokes code in another smart contract via a delegatecall.

Unfortunately, the smart contract was launched with a vulnerability where the uniswapV3Callback function lacked access control.

According to an initial analysis by TenArmor, "[i]t appears that the uniswapV3SwapCallback function of the contract 0x1d9e lacks access control, which was exploited by the attacker."

TenArmor has reported that there was "an approximately loss of $88.9K".

The incident was reported by TenArmor and researcher Weilin (William) Li.

It appears that the incident was included in the Blockthreat report for Week 36 of 2025.

There is limited information available about the smart contract, and no suggestion that any recovery is presently being attempted.

It's unclear which project is behind this address, and whether any investigation is underway.

Further Analysis

On August 28th, 2025, an unverified smart contract was deployed on the Base blockchain containing a critical vulnerability: the uniswapV3SwapCallback function lacked proper access control. This allowed an attacker to exploit the contract using a delegatecall to another contract, resulting in a reported loss of approximately $88.9K. The incident was first analyzed and reported by TenArmor and researcher Weilin (William) Li, and later included in Blockthreat’s Week 36 report. The responsible project remains unidentified, and there is currently no indication of an ongoing investigation or recovery efforts.

How Could This Have Been Prevented?

More Cryptocurrency Exchange Hacks/Scams/Frauds

Bunni Rounding Vulnerability Enables Complex Flashloan Attack > > < < HMS HMagician Smart Contract Burn Mechanism Exploited

Sources/Further Reading

TenArmor - "Our system has detected a suspicious attack involving #unverified contract 0x46cbe on #BASE, resulting in an approximately loss of $88.9K." - Twitter/X (Dec 31)
Attack Transaction - BaseScan (Dec 31)
Weilin (William) Li - "yet another uniswapV3Callback lacking access control." - Twitter/X (Dec 31)
BlockThreat - Week 36, 2025 (Dec 31)
Transaction details - Blockscout (Dec 31)
Victim Smart Contract - BaseScan (Dec 31)
Victim Smart Contract Creation Transaction - BaseScan (Dec 31)
Vulnerable Smart Contract - BaseScan (Dec 31)
Creation Of Delegated Smart Contract - BaseScan (Dec 31)

Join Us!

 Name: Email:
t.me/QuadrigaInitiative /r/QuadrigaInitiative @QuadrigaInit info@quadrigainitiative.com
Sign-Ups: 100%

Your use of this site/service accepts the Terms of Use and Privacy Policy. This site is not associated with Ernst & Young, Miller Thompson, or the Official Committee of Affected User. For questions or enquiries, email info@quadrigainitiative.com.