UniSwap Universal Router was vulnerable to re-entrancy attacks

Dedaub’s team recently disclosed a vulnerability on UniSwap contracts that could’ve endangered some users.

The UniSwap vulnerability

In a recent tweet, Dedaub disclosed that they discovered a bug on UniSwap contracts and informed them of the vulnerability. When the feedback was received, “UniSwap addressed the issue and redeployed the Universal Router smart contracts on all its chains.”

According to the Tweet by Dedaub, this vulnerability paved the way for re-entrancy attacks, which would drain users’ funds. The Dedaub team explained how an attacker/s would use this vulnerability.

We thank the @Uniswap team for awarding a bug bounty.

Further reading: https://t.co/Jj2Sl2f1cQ

— Dedaub (@dedaub) January 2, 2023

The birth of this vulnerability stems back to November when UniSwap introduced its Universal Router. This router unifies NFT and ERC-20 swapping to a single swap router. The aim was to help users perform multiple actions like swapping multiple NFTs and tokens in one transaction. 

When used correctly, the Universal Router commands will send the specified amount to the specified recipient. However, if a third-party code is called during the transfer, it can re-enter the router and claim tokens in the contract. This is mainly because the Universal Router held balances between transactions. 

In their Proof-of-Concept, the Dedaub team noted that the attacker could add a SWEEP command for all tokens remaining after the initial amounts are sent. As part of the transaction, the recipient could quickly drain the entire amount.

Uniswap’s team acted fast

Dedaub’s team instantly informed the UniSwap team of the possibility of such an attack. They advised Uniswap’s team to embed a reentrancy lock in their new router before deploying. 

Uniswap dealt with the issue instantly, making the necessary adjustments before adopting the contract. Uniswap awarded the Dedaub team a $40 thousand bug bounty to show their commitment to individuals’ security. However, the Uniswap team assessed the problem as a high-impact but low-likelihood event. Hence, this could occur in very complex scenarios.

The DEX protocol UniSwap is generally familiar with re-entrancy attacks. In 2020, reports emerged that the DEX, together with Lendf.me, lost $25 million in a simple re-entrancy attack. The network has also suffered other attacks like hacking. In July 2022, hackers nabbed $8 million in ETH using a phishing attack.