Security company Dedaub disclosed a reentrancy vulnerability in Uniswap's new universal router and received a bug bounty

2023-01-03 23:44:50

Collection

ChainCatcher news, the security company Dedaub team announced that they received a security vulnerability report bounty from Uniswap Labs for disclosing a serious vulnerability in Uniswap that has the potential for reentrancy, which could deplete users' funds. However, the funds are safe, and the Uniswap team has resolved the vulnerability and redeployed the Universal Router smart contract across all chains.

Uniswap released the Universal Router smart contract in November 2022, which consolidates ERC20 and NFT exchanges into a single swap router, allowing users to perform heterogeneous operations, such as swapping multiple tokens and NFTs in a single transaction.

Dedaub stated that this router embeds a scripting language for various token operations, and such commands may include transfers to third parties (which may be untrusted) as recipients. If third-party code is called at any point during the transfer process, that code can re-enter the UniversalRouter and temporarily claim any tokens in the contract. Dedaub suggested that Uniswap add a reentrancy lock to the core execution of the new router and redeploy it.

Related tags

Dedaub Uniswap

ChainCatcher reminds readers to view blockchain rationally, enhance risk awareness, and be cautious of various virtual token issuances and speculations. All content on this site is solely market information or related party opinions, and does not constitute any form of investment advice. If you find sensitive information in the content, please click "Report", and we will handle it promptly.