• Features
  • About
  • Resources
  • Community
  • Events
  • Blog
  • Jobs

Uniswap v3 Remove Smart Contract Incident Post Mortem for Sommelier

VolumeFi’s Uniswap v3 Remove contract experienced an attack where our NFT remove contract for Uniswap v3 failed to validate the recipient of the liquidity removal action. Impacted users and their lost liquidity will be refunded. Read on below for the full incident report.

VolumeFi Incident Report

Summary

VolumeFi’s Uniswap v3 Remove contract experienced an attack where our NFT remove contract for Uniswap v3 failed to validate the recipient of the liquidity removal action. As such, our contract experienced an exploit on two instances where it allowed an attacker to remove liquidity before the legitimate user was able to remove the liquidity themselves.

Users of the contract on Sommelier experienced a loss of access to their liquidity. Upon detection, the contract was paused. VolumeFi patched and published the updated contract to Ethereum mainnet and directed the Sommelier team to test and deploy into the Sommelier application.

The Incident

Time of attack: On Jul-20-2021 07:21:50 AM +UTC, a hacker with wallet address 0x8784c3c322d4cbb5a8fb791738bffb9809a18e53 performed the attack on VolumeFi Uniswap v3 Remove contract.

The steps to the exploit are as follows:

  1. The NFLP owner approves the VolumeFi Uniswap v3 remove contract to remove liquidity.
  2. Before the NFLP owner can remove their liquidity, the hacker instructs the Uniswap remove to remove liquidity for that NFLP, but replaces the destination address with the hacker's address. Uniswap allows this transaction because the NFLP owner has approved our contract.

The VolumeFi Uniswap v3 remove contract was exposed to an issue where any msg.sender who was NOT the nflpManager.ownerOf(tokenId) could control the destination of the removed funds after the owner's approval to the contract.

Immediate actions and move-forward plan

Upon alert of a loss of liquidity by a Sommelier user, the Sommelier team and VolumeFi teams investigated and confirmed the contract exploit. The teams then paused the contract and patched an updated contract which the Sommelier team will test and include in the Sommelier Pairings application. Moving forward, VolumeFi will require the ownership of the token from the msg.sender for all Uniswap v3 contract interactions. VolumeFi will also keep a list of active and discovered exploits on Uniswap v3. We will also share our experience with of this issue with the Uniswap team

Compensation Plan

VolumeFi will contact the impacted users and refund them the lost liquidity totaling approximately $1,600.00 USD to their addresses that were impacted by the exploit. No other funds were at risk from this attack.

Conclusion

All other contracts are under further review. Our VolumeFi and Sommelier teams will continue to advance audits of all Ethereum mainnet contracts to identify possible vulnerabilities and to prevent similar incidents.

More articles


This website does not constitute an offer to sell or a solicitation of interest to purchase any securities in any country or jurisdiction in which such offer or solicitation is not permitted by law. Nothing on this website is meant to be construed as investment advice and we do not provide investment advisory services, nor are we regulated or permitted to do so. This website is provided for convenience only. Sommelier does not manage any portfolios. You must make an independent judgment as to whether to add liquidity to portfolios.

Users of the Sommelier website should familiarize themselves with smart contracts to further consider the risks associated with smart contracts before adding liquidity to any portfolios.

Note that the website may change, and we are under no obligation to update or advise as to these changes. There is no guarantee that the Sommelier Mainnet, including any software, products or token use cases mentioned on the website, will be built, or offered by Sommelier. In particular, actual results and developments may be materially different from any forecast, opinion or expectation expressed in this website, or documents contained in it, and the past performance of any portfolio must not be relied on as a guide to its future performance.

To the extent permitted by law, the company and its directors, officers, employees, agents exclude all liability for any loss or damage arising from the use of, or reliance on, the material contained on this website whether or not caused by a negligent act or omission. The release, publication or distribution of this website and any materials herein may be restricted in some jurisdiction and therefore you must inform yourself of and observe any such restrictions.