Security company Dedaub disclosed a reentrancy vulnerability in Uniswap's new universal router and received a bug bounty
ChainCatcher news, the security company Dedaub team announced that they received a security vulnerability report bounty from Uniswap Labs for disclosing a serious vulnerability in Uniswap that has the potential for reentrancy, which could deplete users' funds. However, the funds are safe, and the Uniswap team has resolved the vulnerability and redeployed the Universal Router smart contract across all chains.Uniswap released the Universal Router smart contract in November 2022, which consolidates ERC20 and NFT exchanges into a single swap router, allowing users to perform heterogeneous operations, such as swapping multiple tokens and NFTs in a single transaction.Dedaub stated that this router embeds a scripting language for various token operations, and such commands may include transfers to third parties (which may be untrusted) as recipients. If third-party code is called at any point during the transfer process, that code can re-enter the UniversalRouter and temporarily claim any tokens in the contract. Dedaub suggested that Uniswap add a reentrancy lock to the core execution of the new router and redeploy it.