Security firm Dedaub discovered and disclosed a critical vulnerability on the popular Ethereum decentralized exchange Uniswap. The team behind the protocol fixed the bug, and the affected components were successfully redeployed—otherwise, an attacker could have tempered with transactions to steal a user’s funds.
Uniswap Avoids Danger And Fixes New Features
According to the security firm, the vulnerability was unintentionally implemented with the Universal Router. This component allows Uniswap users to trade ERC-20 tokens and non-fungible tokens “into a single swap router.”
In other words, Uniswap users can optimize their operations and trade multiple tokens and NFTs in a single transaction, saving time and money. This new component also allows users to transfer funds to third parties.
When the vulnerability was in-placed, a user could send a transaction to a third party, and the latter could have gained access to the sender’s funds. Dedaub explained the following:
(…) if third-party code is invoked at any point in the transfer (which manifests itself due to composition of protocols), the code can reenter the UniversalRouter and claim any tokens temporarily in the contract (…). The attacker also needs to implement code to reenter the router (calling execute) and sweep all token amounts. The router may contain funds mid-transaction due to other actions and transfers in a complex swap.
The Universal Router hold the sender’s funds while the transaction is completed. While this happened, the funds were vulnerable, and a bad actor could drain them by calling specific commands such as “dispatch” with a “.TRANSFER” or. “.SWEEP.”
The vulnerability could have allowed a bad actor to “re-entered” a transaction using this command. Once inside, the attacker could have been able to “drain the entire amount” from the sender’s wallet.
The security firm added the following on the “endless scenarios” where the vulnerability could have been exploited:
If untrusted code is invoked at any point in the transfer, the code can re-enter the UniversalRouter and claim any tokens already in the UniversalRouter contract. Such tokens can, for instance, exist because the user intends to later buy an NFT, or transfer tokens to a second recipient, or because the user swaps a larger amount than needed and intends to “sweep” the remainder to themselves at the end of the UniversalRouter call. And there is no shortage of scenarios in which an untrusted recipient may be called (…).
Ethereum DEX Grants $3 Million In Bug Bounty
In December 2022, Uniswap launched the Universal Router as part of their new NFT compatibility. At that time, Uniswap Labs announced a $3 million bounty program. Dedaub was granted this amount for their bug report on the new component.
The firm celebrated the reward and the fact that a bad actor never exploited the vulnerability. In addition, the security firm was “the only bug report that Uniswap acted upon.”
2022 was a troublesome year for crypto and risk-on assets, while macroeconomic forces played against the nascent sector. Users experienced hurdles beyond declining prices as hackers and bad actors took billions from the industry.
Data from on-chain analytics firm Chainalysis claims that bad actors have received over $26 billion in cryptocurrency from 2017 to 2021 alone. It remains to be seen if 2023 will extend or mitigate this trend.
As of this writing, UNI’s price trades at $5.70 with sideways movement on the daily chart.