bug bounty

DeFi auditor nets $40,000 for identifying Uniswap vulnerability

A security firm flagged a now-fixed vulnerability to Uniswap, highlighting the potential for reentrancy attacks on the protocol’s Universal Router smart contract.

Uniswap’s recently launched bug bounty program has led to the discovery of a now-fixed vulnerability of the protocol’s Universal Router smart contract.

The automated market maker released two new smart contracts to its platform in November 2022. Permit2 allows token approvals to be shared and managed across different applications, while Universal Router unifies ERC-20 and nonfungible tokens (NFTs) swapping into a single swap router.

Uniswap also advertised a lucrative bug bounty program to identify potential vulnerabilities in its smart contracts toward the end of 2022 as it looked to assure the safety and efficacy of its protocol.

Smart contract security and auditing firm Dedaub announced that it had received a bug bounty after flagging a vulnerability in the Universal Router smart contract that would have allowed reentrancy to drain user funds mid-transaction.

According to Dedaub’s breakdown, the Universal Router allows users to perform diverse actions including swapping multiple tokens and NFTs in one transaction.

The router embeds a scripting language for a wide variety of token actions, which could include transfers to third party recipients. If correctly implemented, transfers would go to the recipient within specified parameters.

Related: Immunefi says it has facilitated $66M in bug bounties since inception 

However, Dedaub identified a vulnerability in which a third-party code was invoked during the transfer, allowing the code to re-enter the Universal Router and claim any tokens that were temporarily in the contract.

Dedaub then suggested a straightforward remedy, advising the Uniswap team to add a reentrancy lock to the core execution of the new router. Uniswap awarded the auditing firm a total of $40,000 for flagging the vulnerability. The amount included a 33% bonus for reporting the issue during Uniswap’s bonus period in November 2022.

Uniswap classified the issue as medium severity, while further assessment deemed the vulnerability to have a high impact and low likelihood. According to Dedaub, the possibility of a user sending NFTs to an untrusted recipient directly was considered a user error.

More complex and less likely scenarios were considered valid for reentrancy, which resulted in Uniswap deeming the vector to have a low likelihood. Cointelegraph has reached out to Uniswap to ascertain further details of its ongoing bounty program, amounts paid out and the number of bugs identified to date.

Bug bounties have become commonplace in the cryptocurrency and blockchain space as platforms and companies look to ensure the security of their software, systems and infrastructure. 

Cryptocurrency exchange Coinbase recently clarified the terms of its bug bounty, while blockchain security firm Immunefi has facilitated over $65 million worth of bug bounties between ethical hackers and Web3 firms in 2022.

Mango Markets hacker proposes steep settlement

The Solana DeFi protocol suffered a $117 million exploit on Oct. 11, and the hacker wants 70 million USDC for a “bug bounty.”

On Oct. 12, one day after $117 million was drained from Solana DeFi platform Mango Markets via a price feed exploit, the hacker responsible for the attack demanded a settlement. The proposal was filed on the Mango Markets decentralized autonomous organization (DAO) governance forum. 

If passed, the procedure would involve the hacker sending stolen MNGO, SOL (SOL) and Marinade Staked SOL tokens to an address provided by the Mango DAO team. Users without bad debt will be remade whole. However, the hacker demands that any bad debt be viewed as a bug bounty and insurance, to be paid out via the community treasury worth 70 million USD Coin (USDC), or $70 million.

Adding insult to injury, the hacker has voted for this proposal using millions of tokens stolen from the exploit. However, the proposal does not have the required quorum to pass. In exchange for the settlement, the hacker requests that users who vote in favor of the proposal agree to pay the bounty, pay off the bad debt with the treasury, waive any potential claims against accounts with bad debt and not pursue any criminal investigations or the freezing of funds.

Reactions were, unsurprisingly, overwhelmingly negative, with one user writing:

“You’re disgusting. What you did is wrong in every way possible. The responsible thing to do would have been to disclose the vulnerability to the team, NOT EXPLOIT IT. I hope the law enforcement community shows you ZERO MERCY.”

Despite the tragic exploit, losses may be lower than previously estimated. For example, Solana stablecoin protocol UXD said that it had a total exposure of $20 million in Mango Markets. However, its insurance fund contains more than $53.5 million in assets and would be more than enough to cover the losses. The vote on the hacker’s proposal is ongoing at the time of publication.


$100M drained from Solana DeFi platform Mango Markets, token plunges 52%

The platform’s treasury was drained of over $100 million worth of cryptocurrency after an attacker manipulated the price data of its native token to take out loans against their holdings.

Solana-based decentralized finance (DeFi) exchange Mango Markets has been hit with a reported exploit of over $100 million through an attacker manipulating price oracle data, allowing them to take out under-collateralized cryptocurrency loans.

The exploit was first identified by blockchain security firm OtterSec, which tweeted the exchange had been drained of over $100 million due to the attacker manipulating the value of its MNGO native token collateral, then taking out “massive loans” from Mango’s treasury.

The Mango Markets team tweeted soon after, warning users not to deposit funds until “the situation was more clear” and asking the attacker to contact them to discuss a bug bounty.

The team later confirmed the manipulation of a price oracle — a price data feed of the value of its MNGO token — and stated that it had disabled deposits while it continued investigations of the incident.

Due to news of the exploit, the price of the platforms’ MNGO token has fallen by around 52% in the last 24 hours at the time of writing, according to data from CoinGecko.

Related: TempleDAO exploit results in $2M loss

The exploiters’ account on the platform shows the three largest withdrawals were for $50 million worth of USD Coin (USDC), over $26.7 million worth of a Solana staking token called Marinade Staked SOL (mSOL), and nearly $24 million worth of Solana’s SOL (SOL).

Over $14.7 million worth of MNGO was withdrawn, and Mango said it’s “taking steps to have third parties freeze funds in flight.”

Meanwhile, the QANplatform blockchain also suffered from an exploit of its own on Oct. 11, with its Ethereum bridge drained of around $1.89 million worth of its native QANX token, according to blockchain security company Beosin. QANplatform said it’s investigating the incident.

Bug bounty quadruples for Ethereum network — Up to $1M payouts ahead of Merge

According to the Ethereum Foundation, identifying “critical bugs” — those that have a high impact or likelihood of a high impact on the blockchain — will be worth up to $1 million.

The Ethereum Foundation has announced it will be increasing the network’s bug bounty payouts fourfold ahead of the blockchain’s transition to proof-of-stake.

In a Wednesday blog post, the Ethereum Foundation said between Aug. 24 and Sept. 8, all “Merge-related bounties for vulnerabilities” will be quadrupled for white hats testing the network. According to the foundation, identifying “critical bugs” — those that have a high impact or likelihood of a high impact on the blockchain — will be worth up to $1 million. The bounty program also allows submissions for low, medium and high-risk bugs.

As part of the transition to proof-of-stake, the foundation said the Ethereum Network “must first be activated on the Beacon Chain with the Bellatrix upgrade,” an event expected to happen on Sept. 6, with the Merge likely following between Sept. 10 and 20. Core developers previously announced a tentative Merge date of Sept. 15 when the Total Terminal Difficulty, or TTD — the difficulty of the final mined block — will trigger the end of proof-of-work and the start of proof-of-stake.

“The incremental difficulty added per block is dependent on the network hash rate, which is volatile,” said the foundation. “If more hash rate joins the network, TTD will be reached sooner. Similarly, if hash rate leaves the network, TTD will be reached later.”

Source: Ethereum Foundation

The foundation added that Ether (ETH) holders and users largely did not need to take any action prior to the Merge other than to “be on the lookout for scams.” Mining will no longer be possible following the transition, while stakers and node operators will both need to run an execution layer client, with the latter doing so with a consensus layer client.

In July 2020, the Ethereum Foundation announced it had launched public “attack networks” for Ethereum 2.0 for white hats to attempt to exploit potential issues in the clients, offering a $5,000 bounty at the time. However, in August 2021, a vulnerability affecting earlier versions of one of Ethereum’s software clients, Geth, caused more than half the network’s nodes to split. The Merge will require the latest version of Geth as an execution client.

Related: MakerDAO launches biggest ever bug bounty with $10M reward

Other projects have offered up to $1 million or more in bug bounties aimed at finding exploits resulting in the theft  or risk of losing millions, as Sky Mavis did in April 2022 following a $600-million hack on the Ronin Network. In June, Ethereum bridging and scaling solution Aurora paid a $6-million bounty to a white hat hacker who discovered a critical bug.