Update on the reported hack: the CivTrade contract has been paused while the incident is being investigated to mitigate any further risk. Token approvals to the CivTrade v2 may be the source of risk, as the attacker appears to have impersonated Uniswap to use those approvals for malicious transfers, including $4k from my own wallet (previously gained from the OP airdrop). Current CivTrade open positions are likely not affected, they are directly deposited on (real) Uniswap pools. The reportedly vulnerable function (still being investigated), called "uniswapV3MintCallback", is specific to CivTrade and is used to transfer assets from the user wallet directly to Uniswap, and is meant to only be called by Uniswap - the attacker may have found a vulnerability vector which was previously unreported. This function (not used in CivFarm) had been audited and is based on a broadly used approach in the industry of interacting with Uniswap v3. We will be in touch with Uniswap and OpenZeppelin developers to inquire further, meanwhile I recommend to revoke any approvals to the contract address 0x7CAEC5E4a3906d0919895d113F7Ed9b3a0cbf826 by using https://etherscan.io/tokenapprovalchecker - will be back in touch with any further information as our understanding of the situation develops. We seem to have received some unwanted love by sophisticated attackers. My sincere apologies to all those who have been affected: as a community I hope we will be able to address and solve this new issue in the best long-term interest of everyone!

The CivTrade contract has been put on hold🚨 Assets were stolen this morning by exploiting a vulnerability in the approval function for creating limit orders on Uniswap. Neither the contract nor the users' wallets were breached, but they exploited approvals to the contract to hack a callback function that sends funds directly to uniswap pools for creating sell orders. We are continuing to investigate the incident to provide further updates.