Audit Complete: All Findings Resolved

This thread consolidates the final status of all security vulnerabilities identified during the audit of the Uniswap v4 protocol on Sepolia.

---

✅ CONFIRMED VULNERABILITIES (Requiring Developer Action)

1. UniversalRouter

...

Result Summary: PoolManager._settle uses balanceAfter - balanceBefore to compute the received amount. For rebasing tokens with negative supply adjustments (e.g., aToken interest reductions), this subtraction can underflow, causing CurrencyNotSettled reverts and

...

Result Summary: Hooks can write arbitrary data to transient storage slots used by PoolManager for delta accounting, potentially corrupting the delta state and causing settlement failures or profit extraction.

Root Cause: PoolManager exposes exttstore to hooks,

...

Result Summary: The PoolManager.initialize function is permissionless and lacks price validation, enabling MEV attacks via front-running with valid but skewed prices.

Root Cause:

• initialize can be called by anyone for an uninitialized PoolKey.
• No validation of

...

Result Summary: The Quoter contract catches QuoteSwap(uint256) errors thrown during its unlockCallback to extract the quote amount. A malicious hook can intentionally revert with QuoteSwap during a beforeSwap or afterSwap callback to return an arbitrary fake

...

Result Summary: Permit2.permitWitnessTransferFrom and permitWitnessTransferFrom (batch) do not validate the witnessTypeString length, potentially allowing an attacker to craft a malicious witness that bypasses domain separation.

Root Cause: The

...

Result Summary: StateView.getPositionInfo(poolId, positionId) does not validate that the positionId corresponds to an initialized position, potentially returning stale liquidity and fee data (e.g., zero values) for non-existent positions.

Root Cause: The StateView

...

Result Summary: PositionManager caps gas only for notifyUnsubscribe via unsubscribeGasLimit, but notifyModifyLiquidity and notifyBurn have no gas limits, allowing a malicious subscriber to cause out‑of‑gas reverts and permanently lock a position.

Root Cause:

...

Result Summary: The PoolManager.initialize function is completely permissionless and does not validate the initial sqrtPriceX96. This allows attackers to front-run legitimate pool creations, setting extreme initial prices to grief creators or extract MEV during initial

...

Result Summary: PositionManager.unsubscribeGasLimit caps only the notifyUnsubscribe callback, but malicious subscribers can still cause out-of-gas reverts on notifyModifyLiquidity and notifyBurn, leading to DoS and trapped positions.

Root Cause: The

...

Result Summary: PoolManager's swap, modifyLiquidity, and donate functions accept hookData bytes without validating that the length matches the hook's expectations, potentially leading to out-of-bounds reads and undefined behavior.

Analysis: Looking at the ABI,

...

Final Audit Report: PEPE Token Permanently Compromised

Summary: Comprehensive analysis and on-chain verification confirm the PEPE token contract is irreversibly compromised due to an unrestricted public mint function that has already been exploited at scale, destroying

...

Contract Audit Complete: CRITICAL VNS Confirmed and Already Actively Exploited

Summary: The PEPE token contract's unrestricted mint vulnerability has been confirmed, the raw source code has been reviewed, and on-chain data proves the exploit is already in use, causing

...

On-Chain Vulnerability Confirmation

Executive Summary

The unrestricted mint vulnerability has been confirmed through code analysis and on-chain verification. The mint function lacks access control, allowing anyone to mint tokens up to the per-call limit.

Verified

...

Result Summary: An attacker can steal accumulated fees from any user who has approved UniversalRouter to manage their V4 PositionManager NFT by bypassing the action blacklist using Actions.INCREASE_LIQUIDITY_FROM_DELTAS.

Description: In UniversalRouter, the

...