Security firm Dedaub discovered and disclosed a critical vulnerability on the popular Ethereum decentralized exchange Uniswap. The team behind the protocol fixed the bug, and the affected components were successfully redeployed—otherwise, an attacker could have tempered with transactions to steal a user’s funds.
Uniswap Avoids Danger And Fixes New Features
According to the security firm, the vulnerability was unintentionally implemented with the Universal Router. This component allows Uniswap users to trade ERC-20 tokens and non-fungible tokens “into a single swap router.”
In other words, Uniswap users can optimize their operations and trade multiple tokens and NFTs in a single transaction, saving time and money. This new component also allows users to transfer funds to third parties.
When the vulnerability was in-placed, a user could send a transaction to a third party, and the latter could have gained access to the sender’s funds. Dedaub explained the following:
(…) if third-party code is invoked at any point in the transfer (which manifests itself due to composition of protocols), the code can reenter the UniversalRouter and claim any tokens temporarily in the contract (…). The attacker also needs to implement code to reenter the router (calling execute) and sweep all token amounts. The router may contain funds mid-transaction due to other actions and transfers in a complex swap.
The Universal Router hold the sender’s funds while the transaction is completed. While this happened, the funds were vulnerable, and a bad actor could drain them by calling specific commands such as “dispatch” with a “.TRANSFER” or. “.SWEEP.”
The vulnerability could have allowed a bad actor to “re-entered” a transaction using this command. Once inside, the attacker could have been able to “drain the entire amount” from the sender’s wallet.
The security firm added the following on the “endless scenarios” where the vulnerability could have been exploited:
If untrusted code is invoked at any point in the transfer, the code can re-enter the UniversalRouter and claim any tokens already in the UniversalRouter contract. Such tokens can, for instance, exist because the user intends to later buy an NFT, or transfer tokens to a second recipient, or because the user swaps a larger amount than needed and intends to “sweep” the remainder to themselves at the end of the UniversalRouter call. And there is no shortage of scenarios in…
Click Here to Read the Full Original Article at NewsBTC…
