Coinbase’s Base Network Hit by $220K WETH Smart Contract Hack

CertiK, a leading smart contract auditing firm, has identified a significant exploit on the Base blockchain. An unverified smart contract, located at address 0xE143b486ab0413s, successfully siphoned 55 Wrapped Ether (WETH), valued at approximately $220,000, from a victim.

According to CertiK, the vulnerability stemmed from the uniswapV3SwapCallback() function, which lacked proper access controls. This deficiency allowed unauthorized transferFrom calls, ultimately enabling the attackers to drain the victim's wallet.

How the Exploit Occurred

The Base network, an emerging Ethereum Layer-2 chain, has garnered considerable attention in recent months. CertiK's Skylens tool was instrumental in tracing the stolen 55.4 WETH, belonging to the victim (0xf1a3686f4D), to the attacker's address. A common error in Decentralized Finance (DeFi) practices, where victims pre-approve contracts, was exploited by the attackers in this instance.

This attack bears resemblance to a reported theft of $1 million in October 2024, documented by Cyvers Alerts. That incident also leveraged similar vulnerabilities in unverified lending contracts on the Base network. Both cases underscore the persistent risks associated with interacting with unverified code and emphasize the critical need to verify smart contracts before granting approvals.

Security Lessons

CertiK has issued a recommendation for users to revoke any existing approvals to the compromised contract address. The identified issue with the improper callback mechanism, which lacked a crucial check on the message sender, echoes problems previously noted in audits of Uniswap V3.

As the DeFi ecosystem continues to evolve, exploits like this serve as a stark reminder to users. It is imperative to exercise caution, thoroughly vet smart contracts, and strictly adhere to best security practices to safeguard digital assets.