DeFi auditor earns $40,000 for identifying Uniswap vulnerability
Uniswap’s recently launched bug bounty program has led to the discovery of a now-fixed vulnerability in the protocol’s Universal Router smart contract.
The automated market maker released two new smart contracts to its platform in November 2022. Permit2 allows token approvals to be shared and managed across different applications, while Universal Router unifies ERC-20 and non-fungible tokens (NFTs) that are exchanged for a single switching routes.
Uniswap also announced a lucrative bug bounty program to identify potential vulnerabilities in its smart contracts towards the end of 2022, as it looked to ensure the safety and efficiency of the protocol.
Smart contract security and auditing firm Dedaub announced that it had received a bug bounty after flagging a vulnerability in the Universal Router smart contract that would have allowed reentrance to drain user funds mid-transaction.
The Dedaub team has exposed a critical vulnerability to the Uniswap team!
Funds are safe – Uniswap addressed the issue and redeployed the Universal Router smart contracts on all its chains
The vulnerability allows re-entrance to drain the user’s funds, mid-tx.
— Dedaub (@dedaub) 2 January 2023
According to Dedaub’s breakdown, the Universal Router allows users to perform various actions, including exchanging multiple tokens and NFTs in one transaction.
The router embeds a scripting language for a wide variety of token operations, which may include transfers to third-party recipients. If properly implemented, transfers will go to the recipient within specified parameters.
Related: Immunefi says it has facilitated $66 million in bug bounties since inception
However, Dedaub identified a vulnerability where a third-party code was invoked during the transfer, allowing the code to re-enter the Universal Router and claim any tokens temporarily in the contract.
Dedaub then proposed a straight forward solution, advising the Uniswap team to add a reentrancy lock to the core implementation of the new router. Uniswap awarded the audit firm a total of $40,000 for flagging the vulnerability. The amount included a 33% bonus for reporting the issue during Uniswap’s November 2022 bonus period.
Uniswap classified the issue as medium severity, while further assessment deemed the vulnerability to have high impact and low probability. According to Dedaub, the possibility that a user sent NFTs directly to an untrusted recipient was considered user error.
More complex and less likely scenarios were considered valid for reentrancy, resulting in Uniswap rating the vector as having a low probability. Cointelegraph has contacted Uniswap to find out more about the ongoing bounty program, amounts paid out and the number of bugs identified to date.
Bug bounties have become commonplace in the cryptocurrency and blockchain space as platforms and companies try to ensure the security of their software, systems and infrastructure.
Cryptocurrency exchange Coinbase recently clarified the terms of its bug bounty, while blockchain security firm Immunefi has facilitated over $65 million in bug bounties between ethical hackers and Web3 firms in 2022.
