An unverified contract lost $4k

I think root cause is improper check of calldata in “uniswapV2Call” function. It needs to check first parameter-sender address, but it didn’t. Hacker could call this callback function by calling “swap” function.