Uniswap v1 explained: How it changed DeFi forever
AMMDeFi

Uniswap v1 explained: How it changed DeFi forever

October 27, 2025
10 min read
24 views
M3D
M3D
Launched in November 2018, Uniswap v1 was a groundbreaking protocol that introduced the Automated Market Maker (AMM) to a wide audience. It was conceived with a philosophy that prioritized simplicity, censorship resistance, and decentralization, establishing a new paradigm for on-chain token exchange that eliminated the need for traditional order books and trusted intermediaries. While its design was elegant and effective, its inherent limitations provided critical lessons that paved the way for future versions.
This article is part of our AMM security series:

Core architecture and AMM model

The architecture of Uniswap v1 was intentionally minimalist, comprising a two-contract system written in the Vyper programming language. This design choice underscored its commitment to simplicity and auditability.

The constant product formula (xy=kx \cdot y = k)

At the heart of Uniswap v1 is the constant product formula, xy=kx \cdot y = k, which defines the relationship between the reserves of two assets in a liquidity pool. In this model:
  • xx represents the quantity of one asset in the pool (e.g., ETH).
  • yy represents the quantity of the other asset (an ERC20 token).
  • kk is the "constant product" or invariant, which must remain constant during a trade (before fees).
This formula creates a hyperbolic bonding curve for asset prices. When a trader wishes to swap an amount Δx\Delta x of asset X for an amount Δy\Delta y of asset Y, the new reserves must satisfy the equation (x+Δx)(yΔy)=k(x + \Delta x) \cdot (y - \Delta y) = k. A key implication of this curve is that it asymptotically approaches the axes but never touches them, meaning a pool can theoretically never be fully depleted of one asset through trading alone, thus providing "infinite" liquidity. A 0.30% fee is taken from each trade and added back to the reserves, which causes the value of kk to increase over time, rewarding liquidity providers.

Factory and exchange contract design

The protocol's logic was split between two types of smart contracts:
  1. Factory contract: This served as a public registry and a permissionless deployer for new exchange contracts. Its primary function, createExchange, ensured that there could only be one canonical exchange contract for each unique ERC20 token address. The factory maintained mappings to look up an exchange address from a token address and vice versa (token_to_exchange, exchange_to_token), creating a discoverable on-chain system.
  2. Exchange contract: Each ERC20 token had its own dedicated exchange contract, which held the liquidity pool for that token and ETH. These contracts implemented the core AMM logic, exposing functions for liquidity management (addLiquidity, removeLiquidity) and a suite of swap functions with a standardized naming convention (e.g., ethToTokenSwapInput, tokenToEthSwapOutput) to handle different trade directions and whether the input or output amount was fixed.

ETH as a bridge asset

A defining architectural choice in v1 was the exclusive use of ETH as the common pair for all ERC20 tokens. There were no direct ERC20-to-ERC20 pools. To trade between two different ERC20 tokens (e.g., Token A to Token B), the trade was routed through ETH in a single atomic transaction: Token A was sold for ETH in its respective pool, and the resulting ETH was immediately used to buy Token B in its pool. While this simplified routing, it was inefficient, forcing traders to pay two separate 0.30% trading fees and incur slippage twice.

Liquidity provision and LP tokens

Anyone could become a liquidity provider (LP) by depositing an equivalent value of both ETH and the corresponding ERC20 token into an exchange contract. In return, the LP received ERC20-compliant "pool tokens" that represented their proportional share of the total liquidity pool. These LP tokens could be burned at any time to withdraw the provider's share of the reserves, including their portion of the accrued trading fees.

Security analysis: vulnerabilities and audits

The security posture of Uniswap v1 is best understood through its official audit and the systemic risks inherent in its design. These findings became foundational lessons for the entire DeFi ecosystem.

The ConsenSys Diligence audit (January 2019)

The official security audit, conducted by ConsenSys Diligence, was a comprehensive review of the Vyper codebase. The audit found the code to be of high quality but identified several design-level vulnerabilities that posed significant risks. It identified seven open issues, the most severe of which were a "Major" reentrancy vulnerability and a "Medium" front-running issue. The auditors noted that the protocol was already live with over $300,000 in assets, which provided a natural bug bounty and suggested no easily exploitable vulnerabilities were known at the time.

The reentrancy vulnerability (major severity)

The most critical finding was a reentrancy vector that could allow an attacker to drain a liquidity pool.
  • Mechanism: The vulnerability was not in the Uniswap contract code itself but arose from its interaction with non-standard ERC20 tokens, such as those compliant with the ERC-777 standard. If a token contract included an external call within its transferFrom function (e.g., a callback to the sender), an attacker could re-enter the Uniswap exchange contract's swap function before the initial transaction was complete. This re-entry would occur after the token balance in the pool had been updated but before the corresponding ETH had been transferred out, temporarily breaking the xy=kx \cdot y = k invariant.
  • Exploitation path: An attacker could initiate a tokenToEth swap. During the re-entrancy window created by the token's transferFrom callback, the pool would have an artificially high ETH balance relative to its token balance. The attacker could then execute a second swap within the re-entrant call, draining the inflated ETH reserve at an extremely favorable price.
  • Remediation: The recommended fix was to add a mutex, or reentrancy guard, to all trading functions to prevent such recursive calls. This vulnerability highlighted a critical design trade-off: v1's commitment to absolute permissionlessness created a security dependency on the behavior of external, untrusted contracts. The protocol's security was not self-contained.

Front-running and slippage (medium severity)

The audit also identified a medium-severity issue related to front-running, which was not a contract bug but a parameterization choice in the official frontend.
  • Mechanism: Front-running attacks exploit the transparency of public mempools. The audit pointed out that the default ALLOWED_SLIPPAGE constant in the Uniswap frontend was set to a generous 2.5%. This created a guaranteed profit margin for front-runners, who could see a user's pending trade, copy it with a higher gas fee to execute first, and push the price by up to 2.5% against the user, thereby extracting that value.
  • Impact: This finding demonstrated the crucial link between on-chain protocol security and off-chain client implementation. The protocol itself was behaving as designed, but the client-side settings created a systemic vulnerability for its users.

Inherent protocol risk: price oracle manipulation

The most significant systemic flaw in Uniswap v1 was its unsuitability as an on-chain price oracle.
  • The vector: The spot price in a v1 pool is calculated simply as the ratio of its reserves (y/xy/x). This price could be trivially and cheaply manipulated within a single atomic transaction. An attacker could use a flash loan to execute a large trade, momentarily skewing the reserves and thus the price. They could then call a victim contract that relies on this manipulated price for a critical operation (e.g., determining collateral value), and finally, reverse their initial trade to restore the original price, all at a minimal cost.
  • Real-world impact: This was not a theoretical risk. Multiple DeFi protocols that used Uniswap v1 as a price feed, such as bZx and Cheese Bank, were exploited through this exact mechanism, leading to substantial financial losses. This flaw made it clear that a simple spot price from an AMM is not a secure price source for other smart contracts.

Conclusion

Uniswap v1 stands as a landmark achievement in decentralized finance. By successfully introducing the AMM to the world through an elegant and simple design, it proved that complex financial exchanges could operate on-chain without intermediaries. However, its architectural choices—the ETH-centric routing, the insecure spot price oracle, and its susceptibility to reentrancy from non-standard tokens—served as critical, foundational lessons for the entire ecosystem. It was not just a protocol; it was a proof-of-concept that catalyzed the evolution of DeFi, setting the stage for the more robust and efficient systems that would follow.

Get in touch

At Zealynx, we deeply understand the foundational AMM designs, architectural trade-offs, and security vulnerabilities that protocols like Uniswap pioneered. Whether you are building a protocol that integrates with an AMM, auditing a complex DeFi system, or require expert guidance on smart contract security and economic risks, our team is ready to assist — reach out.
Want to stay ahead with more in-depth analyses like this? Subscribe to our newsletter and ensure you don’t miss out on future insights.

FAQ: Uniswap v1: core mechanics

1. What is the constant product formula in Uniswap v1?
The constant product formula (xy=kx \cdot y = k) is the mathematical core of Uniswap v1. It dictates that the product of the reserves of two assets in a liquidity pool (x and y) must remain constant (k) during a trade. This creates a hyperbolic price curve that allows for automated, permissionless token swaps without needing a traditional order book, theoretically providing infinite liquidity as a pool can never be fully drained of one asset through trades alone.
2. Why was Uniswap v1 considered an insecure price oracle?
Its price was calculated as a simple ratio of the pool's reserves (y/xy/x). This "spot price" was vulnerable to instantaneous manipulation within a single transaction. An attacker could use a flash loan to execute a massive trade, temporarily skew the price, trigger a function in another protocol that relies on this false price, and then reverse the trade to repay the loan, all at minimal cost. This led to multiple high-profile exploits in other DeFi protocols.
3. What was the 'Major' severity reentrancy vulnerability in Uniswap v1?
The vulnerability was not in Uniswap's own code but in its interaction with non-standard ERC20 tokens that had callbacks in their transfer functions (e.g., ERC-777). An attacker could initiate a swap, and during the token transfer, the token contract would "call back" to the attacker's contract. This allowed the attacker to re-enter the Uniswap contract and execute another trade before the first one was complete, exploiting a temporarily inconsistent state to drain the pool's funds.
4. Why did Uniswap v1 exclusively use ETH as a bridge asset?
Using ETH as the mandatory common pair for all ERC20 tokens greatly simplified the protocol's design and routing logic, as any token could be traded for any other token via a two-step path (Token A -> ETH -> Token B). However, this was inefficient, forcing traders to pay double trading fees (0.3% twice) and incur increased slippage compared to a direct token-to-token pool.

oog
zealynx

Subscribe to Our Newsletter

Stay updated with our latest security insights and blog posts

Quick Links

Services

Company

Resources

© 2024 Zealynx