A security exploit on staking protocol Bedrock allowed users to swap Universal Bitcoin, a wrapped Bitcoin on the platform, with Ethereum at a 1:1 ratio, despite a price difference of more than $60,000.
The exploit, which has now been “handled,” resulted in an estimated $2 million being swiped from the protocol, mostly from decentralized exchange liquidity pools. The staking protocol said it is working to recover the lost funds, that a reimbursement plan is being “finalized,” and that it will share proof-of-reserves “once it is available.”
Dedaub, a third-party security firm, had notified Bedrock of the vulnerability hours prior to the attack—but most of the team was asleep, so couldn’t act in time. The vulnerability came about as part of a contract upgrade that took place 36 hours before the attack, which mismatched the exchange rate between Ethereum and Bitcoin.
Bedrock confirmed to Decrypt that the smart contract in question had not been audited before it was deployed. A spokesperson noted that its smart contracts are typically audited by security firms Blocksec and Peckshield.
“Unfortunately, we did not follow the strict conventions of getting an audit for this and paid the price,” the spokesperson told Decrypt. “We are taking full responsibility and will be forking out a full compensation to the amount of BTC obtained by the exploiter.”
In many ways, the protocol was fortunate that only $2 million was taken. As explained by Dedaub, the exploit was an “infinite-mint vulnerability” on the uniBTC token, meaning that the entire protocol’s funds could have been drained. However, in collaboration with white hat group Seal 911, the potential losses were minimized by pausing third party protocols exposed to at-risk funds.
“We want to inform you that the Bedrock team is aware of a security exploit involving uniBTC. The issue has been handled and funds are SAFU.” Bedrock posted on Twitter over six hours after it was highlighted on Twitter, “At this time, no extra actions are required from our community. Rest assured that all uniBTC held by users are safe.”
At the time of writing, uniBTC is worth $63,450 while Ethereum is just $2,660, according to CoinGecko. That means for every uniBTC that the attacker minted they would have profited over $60,000.
The initial wallet was funded by Tornado Cash, a crypto mixer sanctioned by the U.S. Treasury, before performing the exploit at 6:28 p.m. UTC on Thursday to the tune of $1.8 million. It then sent the appropriated funds to a new wallet that now holds 650 ETH ($1.73 million). Both addresses later received blockchain messages from the Bedrock deployer address.
“We would like to communicate with you inviting you to become a white hat for the recent incidence,” the message reads. “Would you be interested in working with us and making the protocol more secure? And we are happy to work on a reward for your help.”
White hat hackers use their skills to help boost the security of platforms by identifying exploits. There are countless examples of crypto protocols losing millions in attacks for the funds to later be returned, in a white hat rescue pivot.
For now, however, this does not seem to be the case for Bedrock, as the wallet holding the stolen funds is inactive.
Edited by Stacy Elliott.
Editor’s note: This story was updated after publication with more details and a comment from Bedrock, as well as clarification on the status of security firm Dedaub in relation to Bedrock. Contrary to what Bedrock originally told Decrypt, Dedaub says it is unaffiliated with Bedrock and simply warned the protocol as third-party white hat hackers.
Daily Debrief Newsletter
Start every day with the top news stories right now, plus original features, a podcast, videos and more.
Source: Staking Protocol Bug Let Users Swap One Bitcoin for One Ethereum – Decrypt