Blockchain security firm Dedaub found a “critical vulnerability” in a Uniswap smart contract, which has since been addressed and redeployed.

In a Jan. 3 update, Dedaub said it had disclosed a vulnerability with the Universal Router smart contracts that would allow re-entrancy to drain user funds in the middle of a transaction. A re-entrancy attack takes place when a bad actor creates an external smart contract with malicious code to interact with and exploit a vulnerable smart contract and steal funds in a looped fashion over and over again.

The Universal Router is a fairly new smart contract that was introduced by Uniswap Labs in November. It functions by grouping NFT trades and ERC-20 tokens into a gas optimized-router and lets users swap multiple tokens on Uniswap and buy NFTs across marketplaces in a single transaction.

“If untrusted code is invoked at any point in the transfer, the code can re-enter the UniversalRouter and claim any tokens already in the UniversalRouter contract,” explained Dedaub founder Yannis Smaragdakis in a blog post.

Dedaub received a bug bounty of $40,000 worth of USDC from Uniswap after reporting the bug. The Uniswap team has addressed the issue and implemented a fix on the contract, said the security firm.

Although Dedaub described the bug as critical, Uniswap classified it as a “medium severity” issue in a message to the security firm. At the time of writing, the Uniswap team had not issued any statements of its own on a public platform addressing the bug.