BlocksInform
The bug bounty program recently launched by uniswap has uncovered a vulnerability that has now been corrected by the protocol's universal Smart Router contract.
The automated market maker released two new smart contracts to its platform in November 2022. Permit2 allows you to share and manage token approvals across various applications, while the universal router unifies erc-20 and non fungible tokens (nfts) into a single swap router.
Uniswap also promoted a lucrative bug bonus program to identify potential vulnerabilities in their Smart Deals in late 2022 as They have tried to ensure that their protocol is safe and effective.
Smart contract security and auditing firm Dedaub announced that it had received a bug bounty after flagging a vulnerability in the Universal Router smart contract that would have allowed reentrancy to drain user funds mid-transaction.
The dedicated team unveiled a critical vulnerability to the uniswap team!
Funds are secure - Uniswap has solved the problem and redeployed Universal Router smart deals across all channels.
The vulnerability allows the re-entry to empty the user's background, halfway through the text.
— Dedaub (@dedaub) January 2, 2023
Based on Dedaub's allocation, the universal router allows users to perform various actions, including exchanging multiple tokens and DTT in a transaction.
The router incorporates a script language for a wide range of token actions, which could include transfers to third-party recipients. If the implementation is correct, the transfers will go to the addressee in the specified settings.
Related: Immunefi says it has facilitated $66M in bug bounties since inception
However, Dedaub identified a vulnerability in which a third-party code was invoked during the transfer, allowing the code to re-enter the Universal Router and claim any tokens that were temporarily in the contract.
Dedaub then suggested a direct cure, advising the uniswap team to add a re-entry lock to the new router's basic execution. Uniswap has allocated a total of $40,000 to the audit firm to report the vulnerability. The amount included a 33% premium to flag the issue during Uniswap's November 2022 bonus period.
Uniswap classified the problem as medium in severity, whereas a further assessment found the vulnerability to be high in incidence and low in probability. According to dedaub, the ability for a user to directly send nfts to an unreliable recipient was regarded as a user error.
More complex and less probable scenarios were considered valid for reintegration, and as a result, the vector was considered unlikely. Cointelegraph contacted uniswap to check out more details about its current premium program, payouts and the number of bugs identified to date.
Bug bonuses have become commonplace in the cryptocurrency and blockchain space, as platforms and businesses seek to secure their software, systems and infrastructures.
Cryptocurrency exchange COINBASE recently clarified the terms of its bug bounty, while blockchain security firm Immunefi has facilitated over $65 million worth of bug bounties between ethical hackers and Web3 firms in 2022.
