Hero banner — uniswap v4 hooks

# Uniswap V4 Hooks in 2026: What Programmable AMMs Mean for Self-Custody Signers

Uniswap v4 went live on Ethereum mainnet on January 31, 2025, roughly a year after the Cancun-Deneb upgrade shipped EIP-1153 and gave the EVM the transient storage opcode the new design depends on. Adoption caught up faster than most people expected. By mid-2026, v4 pools were processing near 30% of Uniswap swap volume, and hundreds of custom hooks had been deployed across the ten networks where the protocol runs. That is a large behavior change to absorb if you sign transactions with a hardware wallet, because a v4 pool is no longer just a curve and a fee tier. It is a curve, a fee tier, and a piece of arbitrary code that runs during your swap.

In this piece, we walk through what Uniswap v4 hooks are, how the singleton and flash accounting change LP math, what can go wrong when a hook misbehaves, how to sign v4 transactions safely from a hardware wallet, and where Ryder One fits.

What Uniswap v4 hooks are

A hook is a smart contract that Uniswap's PoolManager calls at defined points during a pool's life. When a pool is created, the deployer picks an address for its hook contract, and the low bits of that address encode which callbacks the hook wants. The PoolManager then invokes those callbacks at the matching moments: before or after a swap, before or after a liquidity change, when a pool is initialized, or during donations to the pool.

That single design turns Uniswap into a plugin platform. Under v3, every pool obeyed the same rules. Under v4, a pool can charge a different fee for every hour of the day, run a time-weighted average market maker so a large order gets sliced across blocks, restrict swaps to KYC-verified wallets, route excess fees to LP incentives, or plug in a custom oracle that a lending protocol reads instead of a Chainlink feed. The official v4 documentation lists the callbacks and shows how permissions get encoded into the hook address itself, which is one of the more clever pieces of the design.

The point of hooks is not that they add new features to Uniswap. The point is that they let anyone add features without waiting for the core team to ship a new version. If you want a pool with a JIT-liquidity defense built in, you write the hook, deploy the pool, and users interact with it the same way they interact with any other v4 pool.

How singleton design and flash accounting change LP math

Uniswap v3 deployed a new contract for every pool. Uniswap v4 does the opposite. All pools live inside one contract, the PoolManager, and each pool is a struct keyed by its token pair, fee, tick spacing, and hook address. That shift alone cuts pool creation cost dramatically, since spinning up a new market no longer means deploying bytecode. It also makes multi-hop routing cheaper, because every hop reads and writes state inside the same contract rather than jumping across contract boundaries.

Flash accounting is the second half of the redesign. In v3, a router that swapped through three pools moved tokens in and out three times. In v4, the router opens a lock on the PoolManager, records net balance deltas as it works, and settles once at the end. Only the final net movement hits ERC-20 transfers. The technique is possible because EIP-1153 introduced transient storage, which behaves like storage inside a transaction and clears at the end, at roughly a hundred gas per operation instead of the twenty-thousand-plus needed for a persistent slot.

Native ETH is a small but welcome addition. Under v3, ETH had to be wrapped into WETH before it could enter a pool. Under v4, the PoolManager handles ETH directly, and the gas cost drops on any path that used to involve a wrap step. For an LP running strategies on Ethereum mainnet, the compound effect of singleton state, flash accounting, and native ETH support is that capital moves further per unit of gas than it did on v3. Small strategies that were unprofitable at v3 gas costs become viable at v4 gas costs, which is why so much of the volume moved.

What can go wrong with a bad hook

Programmability has an obvious downside. A hook is code, and code that runs during your swap has authority over what the swap does. Uniswap Labs cannot vet every hook, and the PoolManager cannot know at deploy time whether a hook contract will behave. That responsibility sits with whoever picks the pool.

Auditors have catalogued the failure modes at length. Hacken's survey of hook vulnerabilities walks through what a hostile hook can do: charge unbounded fees inside its own callback, run gas-heavy loops that force any withdrawal to revert, mix balances across pools that share the same hook address, or replace core swap logic entirely under the async pattern so users are trusting the hook rather than Uniswap. Upgradeable hooks add another layer, because a hook that starts benign can be replaced with hostile logic once liquidity is inside.

The Cork Protocol exploit in May 2025 drained roughly 11 million USD from a Uniswap v4 hook implementation after an access-control gap let an attacker invoke a privileged path that should have been gated. Nobody exploited Uniswap itself. The attacker exploited the third-party hook code that Cork built on top of Uniswap, and the damage landed on the people who had deposited liquidity into the affected pool. That is the shape of the risk going forward. The base protocol is well audited. The plugins that sit on top of it are only as safe as the team that wrote them.

For a self-custody holder, the practical lesson is that pool selection now matters as much as venue selection did in the exchange era. Before you add liquidity to a v4 pool, you want to know who wrote the hook, whether the code has been audited, whether the contract is upgradeable and by whom, and what the hook can do to your position after you deposit.

Signing safely from a hardware wallet

Every interaction with a v4 pool starts with a signed transaction from your wallet. Depositing liquidity, swapping, migrating a position out of v3, or claiming fees each produces a call to the PoolManager with parameters that spell out what you intend to do. If the device you sign on shows only a hash or a truncated to-address, you have no way to catch a wallet that swapped in a hook-controlled router or a UI that changed the destination pool between preview and confirmation.

A few habits keep the flow safe. Read the destination address on the device, not the browser. Confirm that the token pair and amounts render on-screen in a form you understand before you press the confirm button. Prefer wallets and dapps that decode the PoolManager call into human-readable arguments so you can see what pool you are touching, and be skeptical of any interface that asks you to sign an opaque blob for a v4 interaction.

The category of attack this defends against is not new. Address substitution, malicious router contracts, and clipboard hijacks have been around since 2017. What v4 changes is the number of contract addresses a typical DeFi user touches in a single week, and the range of behaviors that can hide behind an innocuous-looking approval. A hardware wallet that renders the full call is not a nice-to-have on a programmable AMM. It is the piece that keeps the plugin architecture from turning into a blind-signing exercise.

Where Ryder One fits

Ryder One is a hardware wallet designed around the assumption that what you see on the device screen is what you are approving. The device runs on an EAL6+ Infineon SLC38 secure element, uses NFC-only communication with no USB or Bluetooth radio, and every signature requires a physical button press wired directly to the secure element. Firmware was audited by Halborn, and the full report is public.

For v4 interactions, the anti-blind-signing behavior is the piece that matters most. When you approve a swap through a hook-enabled pool, the destination address, the token amounts, and the calldata get rendered on the 1.6-inch AMOLED touchscreen in readable form before the button becomes active. If a dapp swaps in a hook-controlled router at the last moment, the change shows up on the device. Combined with on-device address book verification and fee alerts that flag transactions with unusually high gas, the signing flow gives you one more chance to catch something wrong before it goes on-chain.

TapSafe Recovery handles the backup side. Rather than making the seed phrase the sole point of failure, TapSafe splits the recovery share between a Recovery Tag (50%), your paired phone stored encrypted in iCloud or Google Drive (50%), and up to four optional Recovery Contacts (25% each). The BIP-39 seed remains accessible on-device as a last resort, so you are never locked into Ryder hardware. Practicing self-custody on a programmable AMM means both the signing hygiene and the backup posture have to hold, and TapSafe was built so a lost phone or a lost tag on its own does not end the story.

Ryder One ships at $229 with a Recovery Tag, a Qi wireless charger, and a travel pouch. The device measures 41 x 55 x 14.5 mm, weighs 38 grams, and is IP67 rated for dust and water resistance.

Bottom line

Uniswap v4 is a step forward for capital efficiency on Ethereum. Singleton state, flash accounting, native ETH, and hooks together push AMM design in the direction that DeFi users have been asking for since 2021. The catch is the same one that comes with any plugin architecture: the base protocol is audited, but the plugins that run inside it are only as good as the code the third-party team wrote. Every hook is a contract with permissions, and a hostile or buggy hook can hurt the LPs and swappers using its pool. The response is not to avoid v4. The response is to read the pool before you deposit, treat hook code the way you would treat any smart contract you are trusting with funds, and sign every transaction on a device that shows you what you are approving.

Sign what you see, on a device you own. Ryder One renders v4 pool calls in readable form on an EAL6+ secure element, so hooks and routers cannot hide behind an opaque approval.

SEO

  • Target keyword: uniswap v4 hooks
  • SEO title: Uniswap V4 Hooks in 2026: What They Mean for Signers (52 chars)
  • Meta description: Uniswap v4 hooks turned AMMs into a plugin platform in 2025. Here is what programmable pools mean for LPs, swappers, and hardware wallet users. (144 chars)

Meet Ryder One
Meet Ryder One

The only crypto wallet you can install on a crowded subway.
Set it up in less than 60 seconds and just tap your phone to send, swap, and recover.

Learn More