The various crypto projects that are available often have developmental work going on to adapt to the ever evolving space of crypto. In order to do the same, many a times organization introduces or hosts bug bounty programs. One of the newer players in this has been Uniswap. Their recently launched bug bounty program has been very quick to lead them to the discovery of a now-fixed vulnerability of the protocol’s new Universal Router smart contract.
Back in November, Uniswap protocol, the automated market maker introduced two new smart contracts, Permit2; which allows token approvals to be shared and managed across different applications and as a result helps in creating a more unified, cost-efficient, and safer UX. Another one is the Universal Router. This smart contract unifies ERC20 and NFT swapping into a single swap router. Universal Router when integrated with Permit2, creates the possibility for the users to swap multiple tokens and NFTs in one single swap; thus helping in saving on gas fees.
As a mean to make sure that the protocol is safe and has a smoother user interface, the Uniswap protocol also advertised a lucrative bug bounty program to identify potential vulnerabilities in its smart contracts around the end of 2022. This was also a step towards ensuring the safety and efficacy of the protocol.
The Dedaub team has disclosed a Critical vulnerability to the Uniswap team!
Funds are safe – Uniswap addressed the issue and redeployed the Universal Router smart contracts on all its chains 👏
The vulnerability allows re-entertrancy to drain the user’s funds, mid-tx.
— Dedaub (@dedaub) January 2, 2023
Soon after the launching of the bug bounty; Dedaub, a smart contract security, and auditing firm disclosed that it had received a bug bounty after pointing out a vulnerability in the Universal Router smart contract of Uniswap. This bug could have affected the smart contract in a way that would have allowed reentrancy to drain user funds mid-transaction. The bug that Dedaub identified was a vulnerability through which a third-party code was seen during the transfer. This allowed the code to re-enter the Universal Router along with claiming any tokens that were temporarily in the contract.
As a solution to the problem, Dedaub suggested a straightforward antidote. They advised adding a reentrancy lock to the core execution of the new router to the Uniswap team. As a result of finding out the problem and the solution that they suggested, Uniswap awarded the auditing firm a total of $40,000. The reward amount also included a whopping 33% bonus for reporting the issue during Uniswap’s bonus period in November 2022.
According to Dedaub, the possibility of a user sending NFTs to an untrusted recipient directly was considered a user error.
Additional Read: Why did Solana Price fall by over 65% in the Last 30 Days?