Security auditing firm Debaub received a Uniswap "bug bounty" worth $40,000 after discovering a critical vulnerability in a smart contract on the protocol.

The vulnerability was found in Uniswap’s Universal Router contract, a new technology and scripting language that allows users to swap multiple tokens for NFTs in one transaction.

Debaub said on Twitter that the vulnerability could have allowed someone to implement third-party code during a transfer and steal funds.

“Clearly, the UniversalRouter should not hold any balances between transactions, or these can be emptied by anyone,” founder of Debaub Yannis Smaragdakis wrote.

Debaub said it received immediate confirmation from the Uniswap team a few weeks ago when it first found the vulnerability. It received $40,000 in USDC for the discovery of the bug.