feat: univ4Hook + Approve Across Hook + Native Transfer Hook

[super-timepunk]

ApproveAndAcrossSendFundsAndExecuteOnDstHook

• Deployed to demo and staging

SwapUniswapV4Hook

• Deployed to demo and staging

Key Technical Achievements:

• Dynamic minAmount recalculation with ratio protection

• On-chain quote generation eliminating API dependencies

• Real V4 math integration using SwapMath.computeSwapStep

• Hook chaining for complex multi-protocol workflows

• uses pre and post execute steps to perform state changes (including external calls) and transfers tokens temporarily to the hook itself (unique among all Superform hooks, requires careful audit).

• Support native token swaps via an additional NativeTransferHook

• Test with destination swaps with Across

Todos

• Reach full coverage of the code

---

NOTE: anyone can transfer tokens to any hook. This hook by design only uses the amounts sent/specified by the user in the call data. Any other values already present will be ignored, effectively locked forever in the contract

NativeTransferHook

Warning: not deployed, currently just for tests. Will be deployed if architecture of SwapUniswapV4Hook is correct for natives

Note: this hook is required by UniswapV4Hook for natives case to work

[graphite-app]

How to use the Graphite Merge Queue

Add the label contracts to this PR to add it to the merge queue.

You must have a Graphite account in order to use the merge queue. Sign up using this link.

An organization admin has enabled the Graphite Merge Queue in this repository.

Please do not merge from GitHub as this will restart CI on PRs being processed by the merge queue.

[graphite-app]

Graphite Automations

"Request reviewers once CI passes" took an action on this PR • (09/17/25)

1 reviewer was added to this PR based on 's automation.

[codecov]

Codecov Report

❌ Patch coverage is 84.84848% with 30 lines in your changes missing coverage. Please review.

Files with missing lines	Patch %	Lines
...rc/hooks/swappers/uniswap-v4/SwapUniswapV4Hook.sol	80.00%	26 Missing and 4 partials ⚠️

📢 Thoughts on this report? Let us know!

[immunefi-magnus]

🛡️ Immunefi PR Reviews

Your project is enrolled in automatic code reviews. We've received your submission and are currently assigning a reviewer from our team. You'll hear back shortly once a reviewer is on it.

Appreciate your patience — we'll keep you posted right here.

[octane-security-app]

Summary by Octane

New Contracts

• ApproveAndAcrossSendFundsAndExecuteOnDstHook.sol: The contract facilitates ERC20 token transfers across chains with an approval pattern and includes signature handling for secure execution.
• SwapUniswapV4Hook.sol: The SwapUniswapV4Hook contract facilitates Uniswap V4 swaps with dynamic slippage protection, recalculates minimum output amounts, and offers on-chain quote generation.
• NativeTransferHook.sol: A non-accounting hook for transferring native ETH to a recipient during ETH-token swaps using a 52-byte data structure.
• CrosschainTestsCentrifuge.sol: The smart contract manages cross-chain DeFi operations involving deposits, redeems, transfers, and accounting for assets across different chains using hooks and validators.
• CrosschainWithDestinationSwapTests.sol: The smart contract supports cross-chain asset transfers with destination swaps and deposits utilizing multiple DeFi modules like UniswapV4, SuperExecutor, and validators.
• UniswapV4Parser.sol: The smart contract generates Uniswap V4 swap calldata for single-hop swaps on-chain, ensuring proper token ordering and fee configurations.

Updated Contracts

• DeployV2Core.s.sol: Smart contract adds "ApproveAndAcrossSendFundsAndExecuteOnDstHook" and "SwapUniswapV4Hook" features.
• ConfigBase.sol: Added support for Uniswap V4 pool managers with a new mapping by chain ID.
• ConfigCore.sol: Added Uniswap V4 pool manager addresses for multiple chain IDs, with some not deployed yet.
• Constants.sol: Added new hook keys: "ApproveAndAcrossSendFundsAndExecuteOnDstHook" and "SwapUniswapV4Hook".
• CrosschainTests.sol: Introduced structs for variable grouping, made WARP_START_TIME non-constant, and introduced a consolidated test with ApproveAndAcrossHook.
• Constants.sol: Added hooks for "ApproveAndAcrossSendFundsAndExecuteOnDst" and Uniswap V4, including multi-hop functionality.

---

🔗 Commit Hash: 20bc881

[octane-security-app]

Overview

Vulnerabilities found:	6
Severity breakdown:	1 Informational, 2 High, 1 Medium, 2 Low

Warnings found:	8

Detailed findings

script/DeployV2Core.s.sol

• Out-of-bounds array handling in script/DeployV2Core.s.sol::_getContractAvailability causes DoS of check/deploy workflow. See more

src/accounting/SuperLedgerConfiguration.sol

• Insufficient accounting validation with open hook/configuration in SuperExecutor/BaseLedger/SuperLedgerConfiguration permits phantom fee theft and fee bypass. See more

src/executors/SuperDestinationExecutor.sol

• Missing validator address/code checks and error handling in SuperDestinationExecutor causes destination DoS. See more
• Missing ERC20 success verification in destination token hooks causes merkle root consumption without executing intended actions. See more

src/hooks/bridges/debridge/DeBridgeSendOrderAndExecuteOnDstHook.sol

• Silent numeric downcast in DeBridgeSendOrderAndExecuteOnDstHook causes DoS of destination execution. See more

src/hooks/swappers/uniswap-v4/SwapUniswapV4Hook.sol

• Strict native ETH balance equality in SwapUniswapV4Hook unlockCallback causes DoS of native-ETH swaps. See more

Warnings

script/DeployV2Core.s.sol

• Undersized fixed-size arrays in DeployV2Core._getContractAvailability cause operational DoS of deployment/check scripts. See more
• Off-by-one index bug in DeployV2Core _deployHooks causes misassigned Uniswap V4 hook address in returned struct. See more

src/adapters/DebridgeAdapter.sol

• Ignoring fallback and reverting on ERC20 forward in DebridgeAdapter.onERC20Received causes bridged tokens to be stranded. See more

src/executors/SuperDestinationExecutor.sol

• Public destination executor and root-marking in SuperDestinationExecutor with publicly disclosed payload enables third-party merkle root pre-consumption causing DoS of intended bridged execution. See more

src/hooks/swappers/uniswap-v4/SwapUniswapV4Hook.sol

• Ignored ERC20 transfer return and missing ERC20 balance assertions in SwapUniswapV4Hook enable draining residual hook-held ERC20 funds. See more
• Strict native ETH balance equality in SwapUniswapV4Hook with open receive() causes DoS of native-input swaps. See more
• Division-by-zero in SwapUniswapV4Hook._validateQuoteDeviation under dust inputs causes swap/pipeline revert. See more

src/validators/SuperValidatorBase.sol

• Missing validAfter enforcement in destination signature validation causes premature execution and root consumption. See more

---

🔗 Commit Hash: 20bc881
🛡️ Octane Dashboard: All vulnerabilities