TL;DR
In 2024, OpenZeppelin executed thorough audits of Uniswap v4's Core, Periphery, and Universal Router, uncovering and resolving critical security issues. Following the audits, the Uniswap Foundation awarded OpenZeppelin a grant to develop the Uniswap v4 Hooks Library, structured into three key milestones aimed at improving developer experience, accelerating innovation, and minimizing risks.
Uniswap Introduction
Uniswap, one of the earliest and most iconic DeFi protocols, has maintained its position as the leading decentralized exchange despite numerous challenges from an ever evolving industry. As of December 2024, it secures over $6 billion in Total Value Locked and has facilitated more than $1.5 trillion in trading volume since its launch.
From v1 simple token swaps to v3 concentrated liquidity, Uniswap has consistently introduced new features that have set industry standards. The upcoming Uniswap v4 brings notable enhancements, such as:
- Hooks for Custom Logic Integration: Hooks allow developers to inject custom code at specific points in a pool's lifecycle, enabling functionalities like on-chain limit orders, dynamic fee structures, and customized liquidity provisioning strategies.
- Dynamic Fees: This feature adjusts trading fees in real-time based on market volatility and liquidity conditions, optimizing returns for liquidity providers and reducing costs for traders.
- Streamlined Pool State Management: Enhanced pool management reduces gas costs by simplifying state updates and minimizing redundant calculations.
Key Security Events in 2024
In 2024, OpenZeppelin conducted three major security audits for Uniswap v4:
- Core Audit: This audit focused on the Uniswap v4's core components, ensuring the integrity of the protocol's foundation.
- Periphery and Universal Router Audit: This audit examined the abstraction layer built on top of Uniswap v4 core, and the Universal Router, which provides flexibility for executing trades across multiple token types.
- Hooks Library Development: Following the audits, OpenZeppelin received a grant from the Uniswap Foundation to develop a contracts library for Uniswap v4 Hooks, to accelerate development and minimize risks.
Audits
During the audits, OpenZeppelin identified critical and high-severity issues:
- A critical severity issue that allowed unauthorized users to steal fees via the _increase function was discovered in the Periphery and Universal Router audit, which was promptly resolved.
- One high-severity issue was also identified and addressed in the same audit. In this case, slippage checks were bypassed when accrued fees exceeded tokens required for a liquidity deposit, exposing users to sandwich attacks. This issue was resolved by enforcing slippage checks on token amounts excluding accrued fees.
- The Core audit revealed one critical and three medium-severity issues, all of which were successfully resolved. Notably, OpenZeppelin was the sole security firm among five other audit firms to identify the critical issue in the core protocol. In this critical issue the design allowed potential inconsistencies between native and ERC-20 token pools on chains where the native currency has a corresponding ERC-20 token, leading to settlement issues.
Hooks Library Development
The development of the Hooks Library is structured into three key milestones:
1. Abstract Hooks
- Objective: Create flexible abstractions that allow developers to easily design custom Hooks with advanced accounting capabilities.
- Benefits: Enable advanced use cases such as custom fee structures, dynamic pricing curves, impermanent loss hedging, and Liquidity Value at Risk (LVR) minimization.
- Support: Provide a robust testing suite to ensure that any customizations maintain the required invariants and security standards.
2. Accounting Improvement Hooks:
- Objective: Introduce pre-built implementation Hooks designed to address limitations of traditional Automated Market Makers (AMMs).
- Features: Include Hooks that mitigate risks like atomic sandwich attacks, enhancing pools resilience against common challenges in DeFi swaps.
- Flexibility: Allow developers to extend or combine these Hooks to tailor solutions to their specific needs.
3. User Experience Hooks:
- Objective: Enhance the overall user and developer experience with additional tools and interfaces.
- Innovations: Provide new order types and Hooks for improved handling of large trades.
- Accessibility: Develop a wizard-style interface to streamline the process of combining multiple Hooks and simplify integration with development environments like Hardhat and Foundry.
Results and Impact
The audits and subsequent development of the Hooks Library had significant positive impacts for the Uniswap protocol:
- Enhanced Security: The identification and resolution of critical and high-severity issues significantly improved the overall security of Uniswap v4.
- Innovation Enablement: The development of the Hooks Library will empower developers to build secure and efficient custom logic on top of Uniswap v4, fostering DeFi innovation.
- Gas Optimization: Our audit findings and subsequent improvements helped slash gas costs for users, making Uniswap more cost-effective for all users.
- Improved User Experience: We are working on some exciting features, like native ETH support, and the development of user-friendly interfaces in the Hooks Library that will contribute to a better user experience.
Conclusion
Uniswap is one of the building blocks of DeFi, and OpenZeppelin is proud to be a long time partner of such a protocol and to have positively contributed to make its future developments safer and more efficient.
Through rigorous audits and the development of secure libraries, Uniswap v4 is poised to offer enhanced functionality, improved efficiency, and robust security. This partnership recap underscores the importance of proactive security measures and expert collaborations in fostering innovation while maintaining the integrity of decentralized financial systems.
