Mask
Doppler Doppler 985 62444 44 23605 14 61358 14401 40 21664

Uniswap Reentrancy Vulnerability Disclosure

Uniswap Labs recently advertised a boosted $3M bounty program for bug reports over their smart contracts, particularly in the new UniversalRouter and Permit2 functions. A bug was identified and reported, which resulted in a fix and a new deployment of the UniversalRouter.

The bug involved a reentrancy vulnerability in the UniversalRouter, where an attacker could potentially drain all the balances held by the router during transactions. This could occur when untrusted parties gain control during a user transaction, such as with tainted ERC20 tokens in Uniswap pools or callbacks from token transfers. The vulnerability becomes apparent during a series of commands in the UniversalRouter, where an untrusted code is invoked, enabling the code to re-enter the UniversalRouter and claim any tokens already in the contract.

A proof-of-concept was demonstrated showcasing how an attacker could steal tokens they were not intended to receive. The recommended solution was to add a reentrancy lock to prevent dispatching commands while other commands were being dispatched.

Uniswap Labs examined the issue and subsequently awarded a $40,000 bounty. Uniswap classified the bug as having high impact and swiftly addressed the issue, but did not award the full bounty as they also felt the issue has a low likelihood - most scenarios for potential exploitation were considered complex.

We thank Uniswap Labs for the bounty and express satisfaction in contributing to the safety of the web3 ecosystem.

Read more