Uniswap may have saved itself being exploited for millions of pounds thanks to an auditor that identified a smart contract vulnerability on the decentralised exchange.
Dedaub, a smart contract security and auditing firm, revealed Uniswap has paid it $40,000 (£33,500) for flagging a potential weakness in the exchange’s Universal Router smart contract. The weakness could have enabled hackers to drain users funds in the middle of a transaction.
Uniswap launched its bug bounty programme at the end of 2022, promising anyone up to 2.25 million USDC (£1.88m) for identifying possible vulnerabilities in the protocol’s smart contracts.
The program launched in November alongside two new smart contracts on the exchange. The one where an exploit has been identified, Universal Router, combines ERC-20 and NFT swapping into a single transaction, allowing for multiple tokens and NFTs to be swapped at once.
The second, Permit2, lets token approvals be shared across a variety of different applications.
Universal Router uses a scripting language for a number of its token actions, which can include third-party transfers. If used properly, transfers will go to chosen recipients under specific conditions.
What Dedaub discovered is that when third-party code is used in a transfer, the code can re-enter back into the smart contract and claim any temporary tokens being used in a transaction.
Dedaub alerted the Uniswap team, suggesting an easy fix would be to add a re-entrancy lock to the execution of the smart contract.
The issue was classed as medium severity by Uniswap, with a low likelihood but high impact.
After a surge in major DeFi hacks in 2022, some costing hundreds of millions, bug bounty programmes have become a popular remedy for platforms in the space.
Want to learn more about blockchain from industry leaders? Check out Blockchain Expo taking place in Amsterdam, California and London.
Explore other upcoming enterprise technology events and webinars powered by TechForge here.