# 57866 sc low failure to verify the recipient s address can result in the theft of purchased tokens **Submitted on Oct 29th 2025 at 10:02:12 UTC by @pashap9990 for** [**Audit Comp | Alchemix V3**](https://immunefi.com/audit-competition/alchemix-v3-audit-competition) * **Report ID:** #57866 * **Report Type:** Smart Contract * **Report severity:** Low * **Target:** * **Impacts:** * Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield ## Description ### Finding Description and Impact It is possible to verify fetched calldata from zero protocol by using the library `ZeroXSwapVerifier`. With the correct calldata, an executor can then execute a swap in Uniswap V3 by calling `Settler::execute`. However, the executor's assets are stolen by a malicious user because the library failed to verify the recipient's address. ### Code Snippet Furthermore, recipient's address should be checked in `ZeroXSwapVerifier::_verifyRFQVIP` and `ZeroXSwapVerifier::_verifyVelodromeV2VIP` ## Proof of Concept ## Proof of Concept Kindly apply git patch below ```diff diff --git a/src/test/ZeroXSwapVerifier.t.sol b/src/test/ZeroXSwapVerifier.t.sol index 2c839d0..dc84b5a 100644 --- a/src/test/ZeroXSwapVerifier.t.sol +++ b/src/test/ZeroXSwapVerifier.t.sol @@ -6,6 +6,37 @@ import {ZeroXSwapVerifier} from "../utils/ZeroXSwapVerifier.sol"; import {IERC20} from "@openzeppelin/contracts/token/ERC20/IERC20.sol"; import {TestERC20} from "./mocks/TestERC20.sol"; contract ZeroXSwapVerifierTest is Test { TestERC20 internal token; address constant owner = address(1); @@ -58,6 +89,17 @@ contract ZeroXSwapVerifierTest is Test { ); assertTrue(verified); } + + function testVerifyUniswapFakeReceiver() public { + bytes memory _calldata = _buildUniswapV3VIPFakeReceiverCalldata(token, spender, 300); // 300 bps = 3% slippage + bool verified = ZeroXSwapVerifier.verifySwapCalldata( + _calldata, + owner, + address(token), + 1000 // 1000 bps = 10% max slippage + ); + assertTrue(verified); + } + + function _buildUniswapV3VIPFakeReceiverCalldata(TestERC20 _token, address recipient, uint256 bps) internal returns (bytes memory) { + address fake = makeAddr("fake"); + bytes memory fills = abi.encode(address(_token), 100e18); + bytes memory action = abi.encodeWithSelector( + UNISWAPV3_VIP, + recipient, + bps, // bps + 3000, // feeOrTickSpacing + false, // feeOnTransfer + fills + ); + + ZeroXSwapVerifier.SlippageAndActions memory saa = ZeroXSwapVerifier.SlippageAndActions({ + recipient: fake, + buyToken: address(0), + minAmountOut: 0, + actions: new bytes[](1) + }); + saa.actions[0] = action; + + return abi.encodeWithSelector(EXECUTE_SELECTOR, saa, new bytes[](0)); + } } ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://reports.immunefi.com/alchemix-v3/57866-sc-low-failure-to-verify-the-recipient-s-address-can-result-in-the-theft-of-purchased-tokens.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.