UniSwap Universal Router ងាយរងគ្រោះដោយសារការវាយប្រហារចូលឡើងវិញ

The birth of this vulnerability stems back to November when UniSwap introduced its Universal Router. This router unifies NFT and ERC-20 swapping to a single swap router. The aim was to help users perform multiple actions like swapping multiple NFTs and tokens in one transaction. 

When used correctly, the Universal Router commands will send the specified amount to the specified recipient. However, if a third-party code is called during the transfer, it can re-enter the router and claim tokens in the contract. This is mainly because the Universal Router held balances between transactions. 

In their Proof-of-Concept, the Dedaub team noted that the attacker could add a SWEEP command for all tokens remaining after the initial amounts are sent. As part of the transaction, the recipient could quickly drain the entire amount.

Uniswap’s team acted fast

Dedaub’s team instantly informed the UniSwap team of the possibility of such an attack. They advised Uniswap’s team to embed a reentrancy lock in their new router before deploying. 

Uniswap dealt with the issue instantly, making the necessary adjustments before adopting the contract. Uniswap awarded the Dedaub team a $40 thousand bug bounty to show their commitment to individuals’ security. However, the Uniswap team assessed the problem as a high-impact but low-likelihood event. Hence, this could occur in very complex scenarios.

នេះ DEX protocol UniSwap is generally familiar with re-entrancy attacks. In 2020, reports emerged that the DEX, together with Lendf.me, lost $25 million in a simple re-entrancy attack. The network has also suffered other attacks like hacking. In July 2022, hackers nabbed $8 million in សាកលវិទ្យាល័យ ETH using a phishing attack.

តាមពួកយើងនៅលើ Google ព័ត៌មាន