Security firm Debaub found a critical bug in Uniswap’s UniversalRouter contract which is used to conduct NFT transactions involving multiple tokens. The vulnerability fixed by the exchange would have allowed anyone to enter a malicious code to steal funds during transactions.
Blockchain security firm Debaub discovered a critical vulnerability in Uniswap’s UniversalRouter contract. Once the bug was disclosed, the Ethereum-based exchange fixed it and rewarded Debaub with a “bug bounty” worth $40,000 for acting in “good faith”.
UniversalRouter, which was released by Uniswap in December 2022, is a relatively new technology that is used for transactions involving non-fungible tokens (NFT). The smart contract allows users to swap multiple ERC-20 tokens for NFTs in a single transaction. The scripting language can be used for several actions such as token transfers, swaps and NFT purchases. This also includes transfers to untrusted recipients, and if implemented in the right manner, should send to the recipient only what the call parameters specify. The UniversalRouter can first transfer the NFT and then the remaining funds to recipients.
However, Debaub found that a vulnerability in the contract would have allowed anyone to implement a third-party code at any point in the transfer. The company noted that the malicious code can re-enter the router and claim any tokens that are available mid-transaction in the contract. The assets can exist within the UniversalRouter in cases when a user intends to buy an NFT, or transfer tokens to another recipient, or when they swap a larger amount of tokens and intend to “sweep” the rest at the end of the transaction call.
Uniswap named a couple of scenarios where transactions involving untrusted recipients can be called back. There are several tokens that perform the function, like when WETH (wrapped ether) is unwrapped, it triggers a call back; and tokens can themselves be untrusted by executing arbitrary functions when called back.
Debaub demonstrated a proof-of-concept scenario where a bad actor could exploit the smart contract. If the NFT recipient decides to act in bad faith, they can easily re-enter the router at any point in the transaction by calling a transfer in the code and draining the entire amount that is available. Debaub then asked Uniswap to add a reentrancy lock, which stops hackers from making additional commands during transfers, to the core execution layer of the UniversalRouter and redeploy the contract.
Uniswap was notified of the issue at first instance and the platform took sudden action to fix it before the router gained mass adoption. Launched in 2018, Uniswap is one of the most popular decentralised exchanges in DeFi, and is responsible for over 46% of all DEX trading volume. Till date, the platform has processed over $1 trillion worth of crypto transactions.
2022 has been a tough year for the crypto market in general and bad actors took advantage of declining prices to steal billions from the industry. According to blockchain audit firm Certik, 2022 was the worst year for crypto investors, as markets lost $3.7 billion to scams, hacks and exploits. An estimated 80% of funds that were stolen were from attacks against decentralised finance (DeFi) platforms. While October and November were the most lucrative for hackers, December was the least harmful with roughly $62 million worth of crypto stolen, compared to $718 million and $595 million exploited in the previous months.
At the time of writing, UNI, the native token of Uniswap, is trading at $5.57 – up by 3.4% in the last 24-hours.