Key Points:
In December 2022, @jeiwan7 found a bug in Uniswap’s SwapRouter contract.
The developer said the vulnerability was discovered but was rejected by Uniswap security researchers after submitting a bug report.
“You don’t really find critical and high severity bugs in projects like Uniswap, especially after they’ve run in production for several years. So I didn’t really had high expectations and I was sure I wouldn’t be awarded for the report. The bug looks real to me, and I wanted to figure out why would a project with high security standards leave it unfixed.
I submitted a bug report and after more than a month I received their response: they said the bug wasn’t an issue, and everything worked as expected. I cannot agree with this ????. Thus I decided to disclose it publicly for some of you to learn something new and for more experienced security researches to decide whether the bug is real or not.”
The bug allows users to lose funds while interacting with the contract in the standard way. Additionally, SwapRouter allows anyone to withdraw ETH from the contract; it could be an MEV bot or anyone calling for refunds after the transaction.
The caller cannot know how much ETH will be spent on a swap, according to his blog post, since the Quoter contract, which is used to compute swaps before executing them, only returns the output amount and not the input amount. Even if the input amount computed by the pool had been returned, a slippage check would have been necessary on the input amount since a price change might have caused the calculated input amount to change at the time the transaction was executed.
Previously, Coincu also reported a critical vulnerability in Uniswap, which has been fixed that may have cost consumers millions of dollars. This bug was established due to Uniswap’s decision to introduce the Universal Router, which combines NFTs and ERC-20 tokens into a single swap router.
DISCLAIMER: The Information on this website is provided as general market commentary and does not constitute investment advice. We encourage you to do your own research before investing.
Join us to keep track of news: https://linktr.ee/coincu
Harold
Coincu News
Cosmos Developer Interchain Foundation sold 3000 ETH from its ICO today, totaling 21,600 ETH sold…
George Town, Grand Cayman, 22nd November 2024, Chainwire
Inflation Warning by Vanguard highlights risks during Trump’s term, citing tariffs and tighter labor markets…
Clanker token trading volume hit $59.8M on Nov 21, accounting for 14.75% of PumpFun. Fee…
Bitcoin Spot ETF inflows hit $1.005B on Nov 21, led by BlackRock’s $608M and Fidelity’s…
Discover the success story of a New York tech entrepreneur who made $72M from a…
This website uses cookies.