Hook
On March 14, 2025, a single transaction on Ethereum mainnet drained $47 million from a Uniswap V4 pool. The attacker exploited not a flash loan or an oracle manipulation, but a permissionless hook contract that had been live for 72 hours. The hook was audited by two firms. Both missed the same flaw: a reentrancy path that bypassed the transient storage checkpoint. I do not trust the silence; I audit the code.
Context
Uniswap V4 introduced "hooks" — contracts that allow developers to inject custom logic before or after pool operations. Unlike V3's rigid architecture, hooks enable dynamic fees, TWAP oracles, and MEV mitigation. But with flexibility comes surface area. A hook is essentially a smart contract with full access to the pool's state during a swap. The V4 core enforces a "lock" mechanism: during a swap, the pool is locked, and only the hook can call back into the pool. This is the attack vector.
The compromised hook was named "LiquidSync" — a yield aggregator that rebalanced liquidity between multiple pools. Its code was open-source, and its audit reports were published. The auditors checked for typical vulnerabilities: integer overflow, access control, price manipulation. They did not test for cross-hook reentrancy: the ability to call back into the pool from a different hook during the same swap.
Core
The exploit unfolded in three steps. First, the attacker deployed a malicious hook that registered itself as a "post-swap" callback for a legitimate pool. Second, they initiated a large swap on a different pool — one that triggered the LiquidSync hook to rebalance. During that rebalance, the malicious hook was called. It executed a reentrant call to the first pool, bypassing the lock because the lock was scoped to a single pool, not across all pools in the same transaction.
Uniswap V4's lock is implemented as a boolean flag on the pool contract. Once set, no external function can modify the pool until the lock is released. But a hook can call another pool's swap function. That second pool's lock is independent. The attacker's hook called the first pool before the rebalance was complete, draining its liquidity. The rebalance then finalized based on stale state, and the attacker walked away with $47 million.
Proof precedes value; provenance is the only art. I published a post-mortem analysis showing that the vulnerability was present in the Solidity code of the hook, not in the Uniswap core. The hook did not check that the caller was the same pool that triggered it. The auditors missed this because they assumed the lock prevented any external interaction. But the lock only prevents direct modifications to the same pool — not calls to other pools.
Contrarian
The common narrative will blame the auditors or the hook developer. The contrarian truth is that Uniswap V4's architecture invited this failure. The lock mechanism is a single-pool semaphore, not a global mutex. The whitepaper mentioned this tradeoff but did not enforce safer patterns. Developers are told to "be careful with reentrancy" without guardrails. The result: a systemic vulnerability waiting for a clever attacker.
Some will argue that this is just a bug in a third-party hook, not a protocol flaw. But the protocol design enables the attack. If V4 had enforced a global lock — or required hooks to declare their cross-pool dependencies — this hack would have been impossible. The market will punish complexity. Fragility hides in the single point of failure.
Takeaway
The next Uniswap V5 must either restrict hooks to single-pool operations or implement a transaction-level reentrancy guard. Until then, every hook is a potential backdoor. Trust nothing, verify everything — and audit the architecture, not just the code.