🚨 V4 Swap Router by z0r0z - Loss $42.6K (2026-03-03) Type: ABI Encoding / Authorization Bypass The swap(bytes,uint256) function in UniswapV4Router04 uses inline assembly with a hardcoded calldata offset (calldataload(164)) to verify that the payer in the swap data equals msg.sender. This assumes standard ABI encoding where the bytes parameter offset is always 0x40. An attacker crafted non-standard (but valid) ABI-encoded calldata with the bytes offset set to 0xc0, placing their own address at position 164 to pass the authorization check, while the actual decoded bytes data contained the victim's address as the payer. This allowed the attacker to drain 42,607 USDC from a victim wallet (an EIP-7702 delegated EOA) that had approved the router, swapping it for 21.2 ETH via Uniswap V4's ETH/USDC pool. TX: Victim: Router: We have reached out to @z0r0zzz, but the contract is not upgradeable and cannot be paused. Revoke approvals to UniswapV4Router04!