The security company Dedaub team announced that they received a bounty for disclosing a serious vulnerability in Uniswap. The vulnerability has the potential for reentry and will drain user funds. However, the funds are safe, and the Uniswap team has resolved the vulnerability and redeployed the Universal Router smart contract on all chains.

Uniswap released the Universal Router smart contract in November 2022, which unifies ERC 20 and NFT exchanges into one exchange router. Users can perform heterogeneous operations, such as exchanging multiple tokens and NFTs in one transaction. Dedaub said that the router embeds scripting languages ​​for various token operations, and such commands may include transfers to third-party (potentially untrusted) recipients. If third-party code is called at any time during the transfer process, the code can re-enter the Universal Router and temporarily claim any tokens in the contract. Dedaub suggested that Uniswap add a reentry lock to the core execution of the new router and redeploy it.