Bedrock is a multi-asset liquid staking protocol designed to enhance liquidity in the blockchain ecosystem, particularly for institutional investors. Recently, it suffered a significant security breach resulting in the theft of approximately $2 million. The root cause of this exploit stemmed from a vulnerability in the uniBTC smart contract, which allowed attackers to mint tokens uncontrollably.
Behind the Breach
The exploit occurred on September 27, 2024, when hackers targeted the uniBTC contract, a synthetic Bitcoin token used within Bedrock's offerings. The vulnerability allowed the attackers to mint 30.8 uniBTC, which was then exchanged for Wrapped Bitcoin (WBTC) within a Uniswap pool. Despite prior warnings about potential security issues, Bedrock's response was not swift enough to prevent the exploit. The attackers, reportedly utilising around 125 unique addresses, managed to drain liquidity primarily from decentralised exchange pools.
Lessons from the Incident
This incident highlights a critical lesson about security in the DeFi space. The breach's root cause lay in improper handling of token types within the smart contract, emphasising the need for more rigorous security audits.
Rivanorth is a Web3 cybersecurity company specialising in smart contract audits and 360 degree security services for Web3.
Visit rivanorth.com to find out more.
You build the future. We help you secure it.