Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Uniswap X is a signature-based order book protocol. This allows for order fillers to perform arbitrary execution during the fulfillment, as long as the result of the execution is the order being filled properly. This allows a filler to get the best price from all of the various protocols, not just Uniswap, to fill the order.

The author of this post had recently written a similar protocol called FloodPlain. In this protocol, the author wrote a bug that was caught by Spearbit. So, he wondered if the issue existed within the Uniswap X protocol. And, it turns out that it did!

UniswapX will do a balance check before and after on the user to ensure that the user got the proper amount of tokens. However, this has a consequence: what if the user has another order in another protocol going on at the same time for the same token? If this happens, then it's possible to trick the accounting of the system.

For instance, say a user made an order for 70 USDC on OpenSea and Uniswap at the same time. While taking the order from Uniswap (via the callback), the other platform could be resolved. Now, the user has 70K USDC in the account. So, upon entering back into the function, Uniswap believes that the user fairly got their funds. However, this came from ANOTHER order. So, the attacker gets a large amount of money in profit from it.

The author got 200K USDC reward for this vulnerability; I appreciate how seriously Uniswap takes these bugs! Although this situation was possible, it wasn't something that could be trivially triggered. Additionally, I enjoyed the outlook on this from a developer perspective. A video going into the details can be found at here.