The bug involved a reentrancy vulnerability in the UniversalRouter, where an attacker could potentially drain all the balances held by the router during transactions. This could occur when untrusted parties gain control during a user transaction, such as with tainted ERC20 tokens in Uniswap pools or callbacks from token transfers. The vulnerability becomes apparent during a series of commands in the UniversalRouter, where an untrusted code is invoked, enabling the code to re-enter the UniversalRouter and claim any tokens already in the contract.
A proof-of-concept was demonstrated showcasing how an attacker could steal tokens they were not intended to receive. The recommended solution was to add a reentrancy lock to prevent dispatching commands while other commands were being dispatched.
Uniswap Labs examined the issue and subsequently awarded a $40,000 bounty. Uniswap classified the bug as having high impact and swiftly addressed the issue, but did not award the full bounty as they also felt the issue has a low likelihood - most scenarios for potential exploitation were considered complex.
We thank Uniswap Labs for the bounty and express satisfaction in contributing to the safety of the web3 ecosystem.