Those contracts have functions(like “0xa6efca62”) that can be used for swap tokens on uniswap v3, and there’re no access check in those functions.
Hacker created fake uniswap v3 pool with his own token and let victim contract exchange tokens on that pool by calling vulnerable function, then removed liquidity from pool.
Contracts on Ethereum, Bsc, Avalanche and Base were affected, total loss is $170k.
Leave a Reply