{"id":534944,"date":"2023-01-04T13:00:00","date_gmt":"2023-01-04T10:00:00","guid":{"rendered":"https:\/\/en.buradabiliyorum.com\/defi-auditor-nets-40000-for-identifying-uniswap-vulnerability\/"},"modified":"2023-01-04T13:00:00","modified_gmt":"2023-01-04T10:00:00","slug":"defi-auditor-nets-40000-for-identifying-uniswap-vulnerability","status":"publish","type":"post","link":"https:\/\/buradabiliyorum.com\/en\/defi-auditor-nets-40000-for-identifying-uniswap-vulnerability\/","title":{"rendered":"# DeFi auditor nets $40,000 for identifying Uniswap vulnerability"},"content":{"rendered":"<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_84 counter-hierarchy ez-toc-counter ez-toc-custom ez-toc-container-direction\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<label for=\"ez-toc-cssicon-toggle-item-6a24e31dd5dc7\" class=\"ez-toc-cssicon-toggle-label\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #dd3333;color:#dd3333\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #dd3333;color:#dd3333\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/label><input type=\"checkbox\"  id=\"ez-toc-cssicon-toggle-item-6a24e31dd5dc7\" checked aria-label=\"Toggle\" \/><nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-1'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/buradabiliyorum.com\/en\/defi-auditor-nets-40000-for-identifying-uniswap-vulnerability\/#%E2%80%9D_DeFi_auditor_nets_40000_for_identifying_Uniswap_vulnerability_%E2%80%9C\" >&#8221; DeFi auditor nets $40,000 for identifying Uniswap vulnerability  &#8220;<\/a><\/li><\/ul><\/nav><\/div>\n<h1><span class=\"ez-toc-section\" id=\"%E2%80%9D_DeFi_auditor_nets_40000_for_identifying_Uniswap_vulnerability_%E2%80%9C\"><\/span>&#8221; DeFi auditor nets $40,000 for identifying Uniswap vulnerability  &#8220;<span class=\"ez-toc-section-end\"><\/span><\/h1>\n<p><img decoding=\"async\" src=\"https:\/\/images.cointelegraph.com\/images\/840_aHR0cHM6Ly9zMy5jb2ludGVsZWdyYXBoLmNvbS91cGxvYWRzLzIwMjMtMDEvNTZjM2I3OGMtMzYxMC00ZWU2LWI3OGMtNThkZjNmODMxNzFlLmpwZw==.jpg\" \/><\/p>\n<div class=\"post-content\" data-v-6ed77c39>Uniswap\u2019s recently launched bug bounty program has led to the discovery of a now-fixed vulnerability of the protocol\u2019s Universal Router smart contract.<\/p>\n<p>The automated market maker <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/uniswap.org\/blog\/permit2-and-universal-router\">released <\/a>two new smart contracts to its platform in November 2022. Permit2 allows token <a href=\"https:\/\/buradabiliyorum.com\/en\/category\/download-scripts-themes-apps\/\" data-internallinksmanager029f6b8e52c=\"9\" title=\"Download Scripts &amp; Themes &amp; Apps\" target=\"_blank\" rel=\"noopener\">app<\/a>rovals to be shared and managed across different applications, while Universal Router unifies ERC-20 and nonfungible tokens (NFTs)  swapping into a single swap router.<\/p>\n<p>Uniswap also advertised a lucrative bug bounty program to identify potential vulnerabilities in its smart contracts towards the end of 2022 as it looked to assure the safety and efficacy of its protocol.<\/p>\n<p>Smart contract security and auditing firm Dedaub announced that it had received a bug bounty after flagging a vulnerability in the Universal Router smart contract that would have allowed reentrancy to drain user funds mid-transaction.<\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"en\" dir=\"ltr\">The Dedaub team has disclosed a Critical vulnerability to the Uniswap team!<\/p>\n<p>Funds are safe &#8211; Uniswap addressed the issue and redeployed the Universal Router smart contracts on all its chains <\/p>\n<p>The vulnerability allows re-entertrancy to drain the user&#8217;s funds, mid-tx.<\/p>\n<p><a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/t.co\/wFSFsohPvy\">pic.twitter.com\/wFSFsohPvy<\/a><\/p>\n<p>\u2014 Dedaub (@dedaub) <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/twitter.com\/dedaub\/status\/1610058814094450694?ref_src=twsrc%5Etfw\">January 2, 2023<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script>According to Dedaub\u2019s breakdown, the Universal Router allows users to perform diverse actions including swapping multiple tokens and NFTs in one transaction. <\/p>\n<p>The router embeds a scripting language for a wide variety of token actions, which could include transfers to third party recipients. If correctly implemented, transfers would go to the recipient within specified parameters.<\/p>\n<p><strong><em>Related:\u00a0Immunefi says it has facilitated $66M in bug bounties since inception\u00a0<\/em><\/strong><\/p>\n<p>However, Dedaub identified a vulnerability in which a third-party code was invoked during the transfer, allowing the code to re-enter the Universal Router and claim any tokens that were temporarily in the contract.<\/p>\n<p>Dedaub then suggested a straight-forward remedy, advising the Uniswap team to add a reentrancy lock to the core execution of the new router.\u00a0Uniswap awarded the auditing firm a total of $40,000 for flagging the vulnerability. The amount included a 33% bonus for reporting the issue during Uniswap\u2019s bonus period in November 2022.<\/p>\n<p>Uniswap classified the issue as medium severity, while further assessment deemed the vulnerability to have high impact and low likelihood. According to Dedaub, the possibility of a user sending NFTs to an untrusted recipient directly was considered user error. <\/p>\n<p>More complex and less likely scenarios were considered valid for reentrancy, which resulted in Uniswap deeming the vector to have a low likelihood. Cointelegraph has reached out to Uniswap to ascertain further details of its ongoing bounty program, amounts paid out and the number of bugs identified to date.<\/p>\n<p>Bug bounties have become commonplace in the cryptocurrency and blockchain space as platforms and companies look to ensure the security of their software, systems and infrastructure.\u00a0<\/p>\n<p>Cryptocurrency exchange Coinbase recently clarified the terms of its bug bounty, while blockchain security firm Immunefi has facilitated over $65 million worth of bug bounties between ethical hackers and Web3 firms in 2022.<\/p>\n<p><template data-name=\"subscription_form\" data-type=\"defi_newsletter\"><\/template><\/div>\n<blockquote><p><strong><span style=\"color: #ff6600;\">If you liked the article, do not forget to share it with your friends. Follow us on\u00a0<span style=\"color: #ff0000;\"><a style=\"color: #ff0000;\" href=\"https:\/\/news.google.com\/publications\/CAAqBwgKMLG0nwswvr63Aw\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Google News<\/a><\/span>\u00a0too, click on the star and choose us from your favorites.<\/span><\/strong><\/p><\/blockquote>\n<blockquote>\n<p style=\"text-align: center;\">For forums sites go to <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/forum.buradabiliyorum.com\/\" target=\"_blank\" rel=\"noopener\">Forum.BuradaBiliyorum.Com<\/a><\/span><\/strong>\n<\/p><\/blockquote>\n<blockquote>\n<p style=\"text-align: center;\"><strong>If you want to read more <a href=\"https:\/\/buradabiliyorum.com\/en\/category\/news\/\" data-internallinksmanager029f6b8e52c=\"2\" title=\"News\" target=\"_blank\" rel=\"noopener\">News<\/a> articles, you can visit our <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/en.buradabiliyorum.com\/general\/\" target=\"_blank\" rel=\"noopener\">General category.<\/a><\/span><\/strong><\/p>\n<\/blockquote>\n<p><span style=\"color: black;\"><a style=\"color: #ff9900;\" href=\"https:\/\/cointelegraph.com\/news\/defi-auditor-nets-40-000-for-identifying-uniswap-vulnerability\" target=\"_blank\" rel=\"noopener\">Source<\/a><\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>&#8221; DeFi auditor nets $40,000 for identifying Uniswap vulnerability &#8220; Uniswap\u2019s recently launched bug bounty program has led to the discovery of a now-fixed vulnerability of the protocol\u2019s Universal Router smart contract. The automated market maker released two new smart contracts to its platform in November 2022. Permit2 allows token approvals to be shared and&#8230;<\/p>\n","protected":false},"author":1,"featured_media":534945,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/images.cointelegraph.com\/cdn-cgi\/image\/format=auto,onerror=redirect,quality=90,width=1200\/https:\/\/s3.cointelegraph.com\/uploads\/2023-01\/56c3b78c-3610-4ee6-b78c-58df3f83171e.jpg","fifu_image_alt":"","footnotes":""},"categories":[1],"tags":[74894,74877,74868,88700,72287],"class_list":["post-534944","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-general","tag-blockchain","tag-decentralized-exchange","tag-defi","tag-uniswap","tag-security"],"_links":{"self":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/534944","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/comments?post=534944"}],"version-history":[{"count":0,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/534944\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media\/534945"}],"wp:attachment":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media?parent=534944"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/categories?post=534944"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/tags?post=534944"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}