Calldata Injection: The $17M Vulnerability Pattern Hiding in Every DeFi Router

The Pattern That Keeps Taking Money In January 2026, two DeFi protocols — SwapNet and Aperture Finance — lost a combined $17 million to the same vulnerability class: arbitrary calldata injection . Two months later, the z0r0z V4 Router (a community Uniswap V4 router) disclosed a similar flaw. The pattern is consistent: a contract holds user approvals and exposes a function that makes low-level calls with attacker-controlled data. This isn't a novel attack. It's a well-known anti-pattern that keeps shipping to production because teams don't validate call targets and selectors in aggregator and router contracts. Let's break down exactly how it works, why it's so deadly, and how to build contracts that are immune to it. The Anatomy of a Calldata Injection Attack The Setup DeFi routers and aggregators need broad permissions to function. Users approve tokens via ERC20.approve() or Permit2, granting the router contract the ability to move their tokens. This is by design — the router needs to

Calldata Injection: The $17M Vulnerability Pattern Hiding in Every DeFi Router

Related Articles

Lululemon bets Epoch Biodesign can eat its shorts, literally

Crusoe makes big battery buys for its data centers

What Your Engineering Manager Actually Does All Day

The Lego Game Boy makes for a great gift, and it’s $10 off today

How To Apply Global Filters With EF Core Query Filters

Related Articles

How-To
Lululemon bets Epoch Biodesign can eat its shorts, literally
TechCrunch • 4h ago

How-To
Crusoe makes big battery buys for its data centers
TechCrunch • 8h ago

How-To
What Your Engineering Manager Actually Does All Day
Medium Programming • 9h ago

How-To
The Lego Game Boy makes for a great gift, and it’s $10 off today
The Verge • 10h ago

How-To
How To Apply Global Filters With EF Core Query Filters
Medium Programming • 10h ago