A security exploit on staking protocol Bedrock allowed users to swap Universal Bitcoin, a wrapped Bitcoin on the platform, with Ethereum at a 1:1 ratio, despite a price difference of more than $60,000.
The exploit, which has now been “handled,” resulted in an estimated $2 million being swiped from the protocol, mostly from decentralized exchange liquidity pools. The staking protocol said it is working to recover the lost funds, that a reimbursement plan is being “finalized,” and that it will share proof-of-reserves “once it is available.”
Dedaub, the staking protocol’s security firm, had notified Bedrock of the vulnerability hours prior to the attack—but most of the team was asleep, so couldn’t act in time. The vulnerability came about as part of a contract upgrade that took place 36 hours before the attack, which mismatched the exchange rate between Ethereum and Bitcoin.
Bedrock has yet to respond to Decrypt’s query on why the contract wasn’t audited prior to going live.
In many ways, the protocol was fortunate that only $2 million was taken. As explained by Dedaub, the exploit was an “infinite-mint vulnerability” on the uniBTC token, meaning that the entire protocol’s funds could have been drained. However, in collaboration with white hat group Seal 911, the potential losses were minimized by pausing third party protocols exposed to at-risk funds.
“We want to inform you that the Bedrock team is aware of a security exploit involving uniBTC. The issue has been handled and funds are SAFU.” Bedrock posted on Twitter over six hours after it was highlighted on Twitter, “At this time, no extra actions are required from our community. Rest assured that all uniBTC held by users are safe.”
⚠️Important Announcement from the Bedrock Team
We want to inform you that the Bedrock team is aware of a security exploit involving uniBTC. The issue has been handled and funds are SAFU.
We want to reassure everyone that the underlying wrapped BTCs and BTCs in reserves are…
— Bedrock | Bitcoin Restaking LIVE (@Bedrock_DeFi) September 27, 2024
At the time of writing, uniBTC is worth $63,450 while Ethereum is just $2,660, according to CoinGecko. That means for every uniBTC that the attacker minted they would have profited over $60,000.
The initial wallet was funded by Tornado Cash, a crypto mixer sanctioned by the U.S. Treasury, before performing the exploit at 6:28 p.m. UTC on Thursday to the tune of $1.8 million. It then sent the appropriated funds to a new wallet that now holds 650 ETH ($1.73 million). Both addresses later received blockchain messages from the Bedrock deployer address.
“We would like to communicate with you inviting you to become a white hat for the recent incidence,” the message reads. “Would you be interested in working with us and making the protocol more secure? And we are happy to work on a reward for your help.”
White hat hackers use their skills to help boost the security of platforms by identifying exploits. There are countless examples of crypto protocols losing millions in attacks for the funds to later be returned, in a white hat rescue pivot.
For now, however, this does not seem to be the case for Bedrock, as the wallet holding the stolen funds is inactive.
Edited by Stacy Elliott.
Daily Debrief Newsletter
Start every day with the top news stories right now, plus original features, a podcast, videos and more.
Source: https://decrypt.co/283440/staking-protocol-bug-let-users-swap-one-bitcoin-for-one-ethereum