CertiK, a leading smart contact auditing firm, uncovered a major exploit on the Base blockchain, where an unverified smart contract at address 0xE143b486ab0413 siphoned 55 Wrapped Ether (WETH), worth approximately $220,000, from a victim.
The weakness was caused by the uniswapV3SwapCallback() function that was not properly controlled in terms of access, as noted by CertiK. This vulnerability enabled illegal transferFrom calls to empty the wallet of the victim.
As an expanding Ethereum Layer-2 chain, Base network has gained significant attention since the past few months. The Skylens tool of CertiK helped track the stolen 55.4 WETH of the victim (0xf1a3686f4D) to the address of the attacker. The victim had already signed the contract, which is a typical DeFi error that was used by the attackers.
The attack is similar to a reported theft of $1 million by Cyvers Alerts in October 2024, which used similar vulnerabilities in unverified lending contracts on Base. The two cases highlight the continuing risks of dealing with untested code and the need to verify contracts prior to approvals.
CertiK has recommended users to revoke approvals to the compromised address. The improper callback mechanism that lacks an essential check of the sender of the message is also indicative of the problems identified in previous audits of Uniswap V3.
With the development of DeFi, these types of exploits serve as a reminder to users to always be careful, check smart contracts, and adhere to the best security practices to protect their assets.
