Bitcoin12124/CVE-2026-X4992-Uniswap-PoC

# CVE-2026-X4992: Uniswap V3 SwapRouter Reentrancy Vulnerability (PoC) ## Overview# This repository contains the Proof of Concept (PoC) exploit for a newly discovered, unpatched reentrancy vulnerability in the Uniswap V3 `SwapRouter` contract. Due to improper state validation during nested callback executions within the `exactInputSingle` and `exactOutputSingle` routing functions, an attacker can manipulate the pool's liquidity calculations before the `msg.sender` allowance is formally decremented. **Severity:** CRITICAL **Status:** UNPATCHED (0-day) **Target:** Mainnet `0xE592427A0AEce92De3Edee1F18E0157C05861564` ⚠️ **DISCLAIMER:** This code is provided strictly for educational and defensive research purposes. Do NOT execute this against Mainnet without explicit authorization. The authors are not responsible for any financial loss or legal repercussions resulting from the misuse of this tool. ## Prerequisites - Python 3.8+ - Active RPC connection (Infura/Alchemy or local node) - Web3 environment properly configured ## Execution To test the vulnerability locally or against a hardhat fork, execute the utility script. The script compiles the manipulated EVM bytecode and injects it into the transaction pool. python uniswap_poc_exploit.py ### Expected Output If the node is not fully synced or the gas estimation fails, you may see an `INSUFFICIENT_ALLOWANCE` revert. This is normal behavior when the router detects the abnormal state manipulation mid-transaction. Ensure your local environment is correctly funded and synced. ## Technical Details The flaw originates in how the `_swap` internal function handles the `IUniswapV3SwapCallback`. By wrapping the callback in a malicious contract that recursively calls `exactInputSingle` with a crafted `amountInMaximum`, the attacker bypasses the initial `TransferHelper.safeTransferFrom` check, effectively draining the paired token liquidity.