In summary
- A security vulnerability in Bedrock’s staking protocol allowed users to exchange Bitcoin Universal (uniBTC) for Ethereum at a 1:1 ratio, despite a price difference of more than $60,000.
- The exploit resulted in an estimated loss of $2 million, primarily from decentralized exchange liquidity pools, and the protocol is working to recover the lost funds.
- The vulnerability emerged as part of a contract update that took place 36 hours before the attack, and the smart contract in question had not been audited before being deployed.
A security vulnerability in Bedrock’s staking protocol allowed users to exchange Universal Bitcoin (uniBTC), a Bitcoin wrapped on the platform, for Ethereum at a 1:1 ratio, despite a price difference of more than $60,000. .
The exploit, which has now been “handled,” resulted in an estimated loss of $2 million, primarily from the liquidity pools of decentralized exchanges. The staking protocol said it is working to recover the lost funds, that a repayment plan is being “finalized,” and that it will share proof of reserves “once available.”
Dedaub, a third-party security firm, had notified Bedrock of the vulnerability hours before the attack, but most of the team was asleep, so it couldn’t act in time. The vulnerability emerged as part of a contract update that took place 36 hours before the attack, which misaligned the exchange rate between Ethereum and Bitcoin.
Bedrock confirmed to Decrypt that the smart contract in question had not been audited before being deployed. A spokesperson noted that its smart contracts are typically audited by security firms Blocksec and Peckshield.
“Unfortunately, we did not follow the strict conventions of obtaining an audit for this and we paid the price,” the spokesperson told Decrypt. “We are taking full responsibility and will fully compensate the amount of BTC obtained by the exploiter.”
In many ways, the protocol was lucky that they only took $2 million. As Dedaub explained, the exploit was an “infinite creation vulnerability” in the uniBTC token, meaning the entire protocol’s funds could have been drained. However, in collaboration with the white hat group Seal 911, potential losses were minimized by pausing third-party protocols exposed to compromised funds.
“We want to inform you that the Bedrock team is aware of a security vulnerability involving uniBTC. The problem has been resolved and the funds are safe.” Bedrock posted on Twitter more than six hours after it was highlighted on Twitter, “At this time, no additional actions are required from our community. Rest assured, all uniBTC in the hands of users is safe.”
At the time of writing, uniBTC is worth $63,450 while Ethereum is only worth $2,660, according to CoinGecko. This means that for every uniBTC the attacker created, they would have made over $60,000.
The initial wallet was funded through Tornado Cash, a Cryptocurrency mixer sanctioned by the US Treasury, before carrying out the exploitation at 6:28 pm UTC on Thursday for an amount of $1.8 million. He then sent the stolen funds to a new wallet that now contains 650 ETH ($1.73 million). Both addresses then received Blockchain messages from the Bedrock deployer address.
“We would like to contact you inviting you to become a white hat (hacker) for the recent incident,” the message says. “Would you be interested in working with us and making the protocol more secure? And we are happy to work on a reward for your help.”
White hat hackers use their skills to help increase the security of platforms by identifying vulnerabilities. There are countless examples of cryptocurrency protocols losing millions in attacks only to be returned, in a white hat ransom spin.
However, for now, this does not appear to be the case for Bedrock, as the wallet containing the stolen funds is inactive.
Edited by Stacy Elliott.
Editor’s note: This story was updated after publication with more details and a comment from Bedrock, as well as clarification on the status of security firm Dedaub in relation to Bedrock. Contrary to what Bedrock originally told Decrypt, Dedaub says he is not affiliated with Bedrock and simply warned the protocol as third-party ethical hackers.
Daily Debrief Newsletter
Start every day with the top news stories right now, plus original features, a podcast, videos and more.
For the Latest Crypto News, Follow ©KeynoteUSA on Twitter Or Google News.
Disclaimer: Please note that the information provided on this page is for News purposes only and should not be considered investment or trading advice. ©Crypto.keynoteusa.com strongly recommends that you conduct independent research and/or consult with a qualified professional before making any investment decisions.