Uniswap’s recently launched bug bounty program has led to the discovery of a now-fixed vulnerability of the protocol’s Universal Router smart contract.
The automated market maker released two new smart contracts to its platform in November 2022. Permit2 allows token approvals to be shared and managed across different applications, while Universal Router unifies ERC-20 and nonfungible tokens (NFTs) swapping into a single swap router.
Uniswap also advertised a lucrative bug bounty program to identify potential vulnerabilities in its smart contracts towards the end of 2022 as it looked to assure the safety and efficacy of its protocol.
Smart contract security and auditing firm Dedaub announced that it had received a bug bounty after flagging a vulnerability in the Universal Router smart contract that would have allowed reentrancy to drain user funds mid-transaction.
The Dedaub team has disclosed a Critical vulnerability to the Uniswap team!Funds are safe - Uniswap addressed the issue and redeployed the Universal Router smart contracts on all its chains The vulnerability allows re-entertrancy to drain the user's funds, mid-tx.pic.twitter.com/wFSFsohPvy
According to Dedaub’s breakdown, the Universal Router allows users to perform diverse actions including swapping multiple tokens and NFTs in one transaction.
The router embeds a scripting language for a wide variety of token actions, which could include transfers to third party recipients. If correctly implemented, transfers would go to the recipient within specified parameters.
Related: Immunefi says it has facilitated $66M in bug bounties since inception
However, Dedaub identified a vulnerability in which a third-party code was invoked during the transfer, allowing the code to
Read more on cointelegraph.com