# Tutorial 57: Unsanitized SWAP Paths and Arbitrary Contract Call Vulnerabilities {% hint style="info" %} [**Book an audit with Zokyo**](https://www.zokyo.io/) {% endhint %} In decentralized applications (dApps), the ability to route and swap assets across different tokens or protocols often requires user-provided input to define the path for a transaction. While this mechanism provides flexibility, it also introduces a significant security risk if the provided paths are not properly validated or sanitized. Unsanitized paths, which are user-controlled inputs that determine the flow of assets, can be exploited to execute arbitrary code or interact with malicious tokens and smart contracts. This vulnerability can lead to unauthorized token transfers, contract calls, or even the draining of assets from the protocol, as seen in the **Li.Fi** attack of 2024, where an unsanitized function allowed for arbitrary execution, leading to the loss of approximately $8 million. In this tutorial, we will explore how unsanitized swap paths or transaction routes can lead to arbitrary contract call vulnerabilities and how to mitigate such risks by implementing proper validation and security checks. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://zokyo-auditing-tutorials.gitbook.io/zokyo-tutorials/tutorial-57-unsanitized-swap-paths-and-arbitrary-contract-call-vulnerabilities.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.