The Uniswap (UNI) decentralised finance (DeFi) protocol missed a potential disaster: blockchain security firm Dedaub found a critical flaw in one of the recent features implemented on the protocol that has since been fixed.
Potential disaster averted at Uniswap
Dedaub, a company specialising in blockchain security, has found a critical flaw in a smart contract of the decentralised exchange (DEX) Uniswap (UNI).
The flaw was located in the Universal Router, a feature implemented last November by Uniswap that allows users of the protocol to swap NFTs and tokens in a single transaction.
The Dedaub team has disclosed a Critical vulnerability to the Uniswap team!
Funds are safe – Uniswap addressed the issue and redeployed the Universal Router smart contracts on all its chains
The vulnerability allows re-entertrancy to drain the user’s funds, mid-tx.
– Dedaub (@dedaub) January 2, 2023
According to Dedaub, the code for the Universal Router function did not include a “lock” feature to prevent a malicious third party from operating code during a transaction being processed on Uniswap.
Therefore, without this security measure, an experienced hacker could have intercepted assets being transferred for a period of time in the relevant smart contract. According to Dedaub, however, this only affected the assets locked in the smart contract.
As the flaw was reported as soon as possible by Dedaub’s teams, Uniswap’s teams instantly corrected this unintentional error and rewarded the blockchain security firm with a bug bounty of 40,000 USDC.
Uniswap had initially classified the error as “medium” in that it required a user to perform a transaction involving both tokens and at least one NFT to a stranger or untrustworthy person, which seems unlikely indeed.
Rewards of this kind are now commonplace within the cryptocurrency ecosystem, whether decentralised projects or not. In doing so, it allows the various infrastructures to optimise their security although they use auditing firms, which is not always enough.