Dedaub, a blockchain-focused cybersecurity team, shared the design of a possible attack on the funds in Uniswap's Universal Router, a new-gen mechanism that allows users to move NFTs and cryptocurrencies together.
Uniswap's Universal Router can be drained
Uniswap (UNI) was exposed to a critical vulnerability after the activation of its Universal Router. The bug allowed a third party to inject the code and withdraw money during the process of routing.
The Dedaub team has disclosed a Critical vulnerability to the Uniswap team!— Dedaub (@dedaub) January 2, 2023
Funds are safe - Uniswap addressed the issue and redeployed the Universal Router smart contracts on all its chains 👏
The vulnerability allows re-entertrancy to drain the user's funds, mid-tx.
The attack was possible as the router mechanism contains funds mid-transaction, and these funds can be withdrawn by an attacker. For instance, if account "A" transfers NFTs and then transfers funds to account "B," the latter is theoretically able to "reenter" the router and drain the funds.
The cybersecurity researchers advised the Uniswap (UNI) team to implement a reentrance lock to the core execution of the new router and then redeploy this mechanism.
Uniswap (UNI) activated its Universal Router on Dec. 17, 2022. It significantly streamlined the processes of token swaps and made them more resource efficient.
Uniswap fixes bug, pays bug bounty
Dedaub experts announced that the Uniswap (UNI) team implemented the security fix before the router gained traction among users of the decentralized exchange. The emergency update was activated across all blockchains Uniswap (UNI) leverages currently.
All funds of new and existing Uniswap (UNI) users are 100% safe at this time. Also, Uniswap (UNI) paid the bug bounty to the experts that unveiled the dangerous vulnerability.
As covered by U.Today previously, in 2022, Uniswap (UNI) registered a whopping $620 billion in trading volume on its swap engine despite the bearish recession.
The platform handled 68 million transactions on the Ethereum (ETH) network only.