# Hardening Auto-Range for Lend Vaults > A security fix for Auto-Range, and less trust in our own keys **Published by:** [Revert](https://paragraph.com/@revertfinance/) **Published on:** 2026-07-09 **URL:** https://paragraph.com/@revertfinance/hardening-auto-range-for-lend-vaults ## Content TL;DR A security researcher privately reported an issue in the Auto-Range V3 contract for UniswapV3 on Ethereum mainnet, Arbitrum, and Base. The researcher has asked to remain anonymous. Thank you, you know who you are. No user funds were at risk at any time, and no positions were affected. We paused Auto-Range executions on those three chains, deployed fixed contracts on July 5, and completed the migration on July 11th. If you had Auto-Range active on a Uniswap v3 position on mainnet, Arbitrum, or Base, you need to re-activate it once. Open the position page and follow the prompt. Configurations on the old contract do not carry over. Auto-Range on Polygon, Optimism, and BNB, and all Aerodrome automations, were not affected. What you need to do Uniswapv3 Auto-Range configurations live inside the contract that executes them. Since the fix required deploying a replacement contract, your old configuration cannot follow automatically: re-creating it is a one-time action only you can take. Open your position on revert.finance. If the position had Auto-Range on the old contract, you will see a prompt to activate Auto-Range again. Set your range trigger as before and confirm. Optional hygiene: revoke the NFT approval you granted to the old contract address. The old contract can no longer touch vault positions and is no longer operated by us, but there is no reason to leave stale approvals around. That's it. Fees, positions, and everything else are untouched. What happened Last week a security researcher reached out through our security contact with a finding in the Auto-Range V3 contract for UniswapV3. No user funds were at risk. The issue was not exploitable by the public: the code path in question was only callable by our own permissioned operator account, the same account that already executes your automations within the limits you configure. What the issue did was quietly increase how much trust that operator account required. And that is exactly the direction we never want to move in. Revert Lend is built around one invariant: anything that touches a position held as collateral must pass through the vault's health checks. That is a promise enforced by code, not by us behaving well. Auto-Range integrates with the vault as a "transformer", so borrowers can rebalance collateral in place, and the vault wraps every such transform in a collateral check before and after. The researcher found that the old Auto-Range contract also accepted direct operator execution on positions owned by the vault, skipping the vault wrapper. Your own configuration limits, like slippage caps and reward caps, still applied on that path. What went missing was the vault-level solvency check, and with it the guarantee that even a compromised operator key could not move Lend collateral outside vault rules. In practice, safety on that path depended on trusting the operator account. Users never signed up for that trust, and we don't want it. So we treated this with the same urgency as a fund-loss bug. The fix Our contracts are not upgradeable, on purpose. A fix therefore means a new deployment and a migration, not a silent patch. The contract change itself is small and public (revert-finance/lend PR #60): direct execute and autoCompound calls now revert when the target NFT is owned by a configured vault. The vault path, where the health checks live, becomes the only way to transform collateral. Regression tests cover the edge cases, including old NFTs that retain a stale approval after a range move. The operational timeline: Date Action June 27 Operator bot stopped executing on the old contracts on mainnet, Arbitrum, and Base July 5 Fixed contracts deployed on all three chains, ownership transferred to the chain multisigs July 5 + 48h Vault allowlisting of the new contracts executed through the Arbitrum and Base timelocks [DATE] Old contracts removed from the vault allowlists on all three chains New contract addresses, verified on the block explorers: Chain Old Auto-Range V3 Fixed Auto-Range V3 Ethereum 0x88481E2Fbc98d4a251655B0F1A4422555EA72d9E 0x9bac2bae9ed87a56c20fdad502b6f0fe1ed4591b Arbitrum 0x5ff2195BA28d2544AeD91e30e5f74B87d4F158dE 0x4b3a32dc12626cbd0ddbd11481722dcc6e6caf30 Base 0xA8549424B20a514Eb9e7a829ec013065Bef9Dc1D 0xa387ad72dacc3c884e601ef946bdef739d72a372 Between June 27 and the redeploy, Auto-Range executions on these three chains were paused. If your position crossed its trigger during that window, it was not rebalanced. We prefer a paused automation over one running on a contract we have open questions about, every time. Trust is the actual bug The lesson we took from this finding is not "add a check". It's that trust in privileged accounts creeps in silently, and it has to be hunted deliberately. The operator account was designed to be low-trust: it can only execute automations users opted into, within limits users configured, and the contracts enforce those limits. This issue widened what trusting the operator meant without anyone deciding it should. The fix restores the boundary: a compromised operator key is once again bounded by contract code, including for Lend collateral. We applied the same standard to our own admin keys while we were at it: Vault administration on Arbitrum and Base already sits behind 48-hour timelocks, and the entire migration above ran through them. No shortcuts, including for our own security fix. Thanks Our thanks again to the researcher who reported this and chose to stay anonymous. Reports like this one are how trust assumptions get found before they matter. Thanks to PeckShield for reviewing this fix prior to deployment. If you believe you've found a security issue in any Revert contract or system, contact us at hi [@] revert.finance. We take every report seriously and we will not be weird about it. ## Publication Information - [Revert](https://paragraph.com/@revertfinance/): Publication homepage - [All Posts](https://paragraph.com/@revertfinance/): More posts from this publication - [RSS Feed](https://api.paragraph.com/blogs/rss/@revertfinance): Subscribe to updates - [Twitter](https://twitter.com/revertfinance): Follow on Twitter