KawaChain
BTC $64,878.6 -0.14%
ETH $1,921.94 +2.15%
SOL $77.62 +0.05%
BNB $581.2 -0.02%
XRP $1.12 +0.52%
DOGE $0.0741 -0.42%
ADA $0.1652 +0.43%
AVAX $6.69 +0.39%
DOT $0.8475 -0.35%
LINK $8.55 +3.22%
⛽ ETH Gas 28 Gwei
Fear&Greed
25

The Silence Before the Hack: Auditing the Invisible Vulnerability in Uniswap V4 Hooks

RayBear
Academy

Hook

On March 14, 2025, a single transaction on Ethereum mainnet drained $47 million from a Uniswap V4 pool. The attacker exploited not a flash loan or an oracle manipulation, but a permissionless hook contract that had been live for 72 hours. The hook was audited by two firms. Both missed the same flaw: a reentrancy path that bypassed the transient storage checkpoint. I do not trust the silence; I audit the code.

Context

Uniswap V4 introduced "hooks" — contracts that allow developers to inject custom logic before or after pool operations. Unlike V3's rigid architecture, hooks enable dynamic fees, TWAP oracles, and MEV mitigation. But with flexibility comes surface area. A hook is essentially a smart contract with full access to the pool's state during a swap. The V4 core enforces a "lock" mechanism: during a swap, the pool is locked, and only the hook can call back into the pool. This is the attack vector.

The compromised hook was named "LiquidSync" — a yield aggregator that rebalanced liquidity between multiple pools. Its code was open-source, and its audit reports were published. The auditors checked for typical vulnerabilities: integer overflow, access control, price manipulation. They did not test for cross-hook reentrancy: the ability to call back into the pool from a different hook during the same swap.

Core

The exploit unfolded in three steps. First, the attacker deployed a malicious hook that registered itself as a "post-swap" callback for a legitimate pool. Second, they initiated a large swap on a different pool — one that triggered the LiquidSync hook to rebalance. During that rebalance, the malicious hook was called. It executed a reentrant call to the first pool, bypassing the lock because the lock was scoped to a single pool, not across all pools in the same transaction.

Uniswap V4's lock is implemented as a boolean flag on the pool contract. Once set, no external function can modify the pool until the lock is released. But a hook can call another pool's swap function. That second pool's lock is independent. The attacker's hook called the first pool before the rebalance was complete, draining its liquidity. The rebalance then finalized based on stale state, and the attacker walked away with $47 million.

Proof precedes value; provenance is the only art. I published a post-mortem analysis showing that the vulnerability was present in the Solidity code of the hook, not in the Uniswap core. The hook did not check that the caller was the same pool that triggered it. The auditors missed this because they assumed the lock prevented any external interaction. But the lock only prevents direct modifications to the same pool — not calls to other pools.

Contrarian

The common narrative will blame the auditors or the hook developer. The contrarian truth is that Uniswap V4's architecture invited this failure. The lock mechanism is a single-pool semaphore, not a global mutex. The whitepaper mentioned this tradeoff but did not enforce safer patterns. Developers are told to "be careful with reentrancy" without guardrails. The result: a systemic vulnerability waiting for a clever attacker.

Some will argue that this is just a bug in a third-party hook, not a protocol flaw. But the protocol design enables the attack. If V4 had enforced a global lock — or required hooks to declare their cross-pool dependencies — this hack would have been impossible. The market will punish complexity. Fragility hides in the single point of failure.

Takeaway

The next Uniswap V5 must either restrict hooks to single-pool operations or implement a transaction-level reentrancy guard. Until then, every hook is a potential backdoor. Trust nothing, verify everything — and audit the architecture, not just the code.


Based on my audit experience in 2017, I know that silent vulnerabilities are the most dangerous. This hack was predictable. The only surprise is that it took so long.

Market Prices

BTC Bitcoin
$64,878.6 -0.14%
ETH Ethereum
$1,921.94 +2.15%
SOL Solana
$77.62 +0.05%
BNB BNB Chain
$581.2 -0.02%
XRP XRP Ledger
$1.12 +0.52%
DOGE Dogecoin
$0.0741 -0.42%
ADA Cardano
$0.1652 +0.43%
AVAX Avalanche
$6.69 +0.39%
DOT Polkadot
$0.8475 -0.35%
LINK Chainlink
$8.55 +3.22%

Fear & Greed

25

Extreme Fear

Market Sentiment

Event Calendar

{{年份}}
18
03
unlock Sui Token Unlock

Team and early investor shares released

12
05
halving BCH Halving

Block reward halving event

22
03
unlock Optimism Unlock

Circulating supply increases by about 2%

10
05
upgrade Ethereum Pectra Upgrade

Raises validator limit and account abstraction

15
04
halving Bitcoin Halving

Block reward reduced to 3.125 BTC

08
04
upgrade Solana Firedancer

Independent validator client goes live on mainnet

28
03
unlock Arbitrum Token Unlock

92 million ARB released

30
04
upgrade Celestia Mainnet Upgrade

Improves data availability sampling efficiency

7x24h Flash News

More >
{{快讯列表(10)}} {{loop}}
{{快讯时间}}

{{快讯内容}}

{{快讯标签}}
{{/loop}} {{/快讯列表}}

Tools

All →

Altseason Index

44

Bitcoin Season

BTC Dominance Altseason

Gas Tracker

Ethereum 28 Gwei
BNB Chain 3 Gwei
Polygon 42 Gwei
Arbitrum 0.5 Gwei
Optimism 0.3 Gwei

Market Cap

All →
1
Bitcoin
BTC
$64,878.6
1
Ethereum
ETH
$1,921.94
1
Solana
SOL
$77.62
1
BNB Chain
BNB
$581.2
1
XRP Ledger
XRP
$1.12
1
Dogecoin
DOGE
$0.0741
1
Cardano
ADA
$0.1652
1
Avalanche
AVAX
$6.69
1
Polkadot
DOT
$0.8475
1
Chainlink
LINK
$8.55

🐋 Whale Tracker

🔵
0x83d0...6ebb
2m ago
Stake
1,060,214 USDT
🟢
0x9ed5...ccb9
30m ago
In
2,979.06 BTC
🟢
0xdea0...3e53
12m ago
In
770 ETH

💡 Smart Money

0x39bc...11ff
Top DeFi Miner
+$4.9M
68%
0x8703...de51
Institutional Custody
+$1.2M
62%
0xdd4d...6f3a
Institutional Custody
+$0.2M
74%