A vulnerability in Uniswap that could have seen users lose millions, if not billions of dollars, has been patched. The DEX is the world’s largest by total value locked, currently managing $3.26 billion of assets.
Dedaub team was the first to pick out the re-entrancy error which could have seen users’ funds drained. They proceeded to notify the Uniswap development team. On acknowledging this error, the DEX developer addressed the issue and redeployed the Universal Router smart contracts, including on Polygon and all its chains.
The Dedaub team has disclosed a Critical vulnerability to the Uniswap team!
Funds are safe – Uniswap addressed the issue and redeployed the Universal Router smart contracts on all its chains 👏
The vulnerability allows re-entertrancy to drain the user's funds, mid-tx.
— Dedaub (@dedaub) January 2, 2023
The Dedaub team noted that the decision by Uniswap to launch the Universal Router which unifies ERC-20 (fungible) tokens and NFTs into a single swap router introduced this weakness. In their assessment, they found out that malicious actors could “embed a scripting language for all sorts of token actions”.
“Such commands could include transfers to third party (potentially untrusted) recipients. In a correct implementation, such a transfer should send to the recipient only what the call parameters specify. However, if third-party code is invoked at any point in the transfer (which manifests itself due to composition of protocols), the code can reenter the Universal Router and claim any tokens temporarily in the contract.”
Funds are now safe after Uniswap added “a re-entrancy lock to the core execution” and re-deployed the Universal Router.
The re-entrancy attack is a common smart contracting error in account-based blockchains like Ethereum primarily because how transfers are handled in these networks. Over the years, hackers have identified this error and siphoned hundreds of millions of tokens.
For context, a re-entrancy attack was used to lock millions of ETH in the first ever DAO in Ethereum leading to the split of the network to the proof-of-work Ethereum classic, and the longer chain, Ethereum.
To exploit this vulnerability, the attacker initiates an infinite loop between the vulnerable smart contracts and their smart contract until funds held in the former is drained of funds. Since smart contracts are executed on an immutable base layer, it is impossible for the victim to recoup funds once the transaction is approved from the pool.
Dedaub received a $40k bounty from the $3 million program announced by Uniswap.