Full Report
Bedrock protocol is a liquid staking protocol for various assets, one of which is Bitcoin. The Dedaub team discovered an issue in the protocol then messaged the developers on Twitter about it. Eventually, after not getting a response for 20 minutes, they messaged SEAL 911 to create a war room to contain the issues. During the two hours of the war room, the vulnerability was exploited for 2M. In reality, this was fine because the third-party protocols that could have been rugged were contacted and turned off the functionality. At first glance, 20 minutes is too aggressive to escalate to a third party outside the company. The Twitter message at the bottom of the has a response of "please don't ignore me" after three minutes, which seems fast. Somebody could just be in the shower or sleeping. However, given that it was immediately exploited, it seems warranted. To me, it's weird that two groups found the same vulnerability for a live contract at the same time. The vulnerability was in the mint() function. On the BTC vault, there was a 1 to 1 mapping from Ethereum to BTC. Since BTC is much more expensive, performing this trade would result in an instant profit to the attacker. Although the BTC contract couldn't be called directly, the vault was a trusted minter that could still trigger this. Fairly simple bug but it's always interesting to see the incident response on them!
Analysis Summary
# Incident Report: Bedrock Protocol uniBTC Infinite Mint Exploitation
## Executive Summary
On September 26, 2024, the Bedrock liquid staking protocol was exploited due to a critical vulnerability in its `mint()` function that allowed users to swap ETH for uniBTC at a 1:1 ratio. Despite proactive discovery and escalation by security researchers at Dedaub, a lack of immediate response from the Bedrock team allowed attackers to exploit the flaw. While $2M was lost to liquidity pools, proactive containment by third-party protocols (Pendle and Corn) prevented the total loss of the $75M uniBTC market cap.
## Incident Details
- **Discovery Date:** September 26, 2024
- **Incident Date:** September 26, 2024
- **Affected Organization:** Bedrock
- **Sector:** Decentralized Finance (DeFi) / Liquid Staking
- **Geography:** Global / Decentralized
## Timeline of Events
### Initial Access
- **Date/Time:** 18:28 UTC
- **Vector:** Publicly accessible smart contract function (`mint()`).
- **Details:** The attacker utilized a logic error in the uniBTC vault contract that failed to account for the price disparity between ETH and BTC.
### Lateral Movement
- **Details:** Not applicable in the traditional sense; however, the attacker moved "horizontally" across 8 different blockchain networks (including Ethereum, BSC, and Arbitrum) where the vulnerable vault was deployed to maximize extraction.
### Data Exfiltration/Impact
- **Details:** The attacker minted massive quantities of uniBTC and swapped them for legitimate assets (WBTC/ETH) via decentralized exchanges (DEXs) like Uniswap and PancakeSwap. Total direct loss: ~$2M.
### Detection & Response
- **16:00 UTC:** Dedaub team discovers the vulnerability via simulation.
- **16:27 UTC:** Dedaub attempts to contact Bedrock via X (Twitter).
- **16:41 UTC:** Dedaub escalates to SEAL 911; a Telegram war room is created.
- **18:28 UTC:** First exploit transaction recorded on Ethereum mainnet.
- **19:00+ UTC:** SEAL 911 contacts Pendle and Corn to pause affected pools.
- **Post-Exploit (Late Night):** Bedrock developers awaken and pause the vulnerable vaults.
## Attack Methodology
- **Initial Access:** Direct interaction with the `mint()` function on the `Vault` contract.
- **Persistence:** Not required; the attack was an atomic smart contract exploitation.
- **Privilege Escalation:** The vault was a "trusted minter" for the uniBTC token, meaning the vault’s logic error effectively granted the attacker administrative minting privileges.
- **Defense Evasion:** None; the transactions were public, but the speed of execution outpaced the response team.
- **Discovery:** Likely identified via automated fuzzing bots or mempool monitoring.
- **Impact:** Infinite minting of uniBTC, leading to potential hyper-inflation and total loss of asset peg.
## Impact Assessment
- **Financial:** ~$2,000,000 directly stolen from liquidity providers.
- **Data Breach:** None (Public blockchain data).
- **Operational:** Vulnerable vaults and integrations with Pendle/Corn were disabled, halting trading for all users.
- **Reputational:** Significant; the vulnerability was considered "simple" (1:1 ETH/BTC swap), and the team's slow response time was highlighted during the incident.
## Indicators of Compromise
- **Ethereum Transaction:** `0x725f0d65340c859e0f64e72ca8260220c526c3e0ccde530004160809f6177940`
- **Vulnerable Contract (Vault Proxy):** `0x047d41f2544b7f63a8e991af2068a363d210d6da`
- **Behavioral:** High-volume minting of uniBTC followed by immediate swaps for WBTC or ETH in AMM pools.
## Response Actions
- **Containment:** Third-party protocols (Pendle, Corn) paused their uniBTC-related functionalities to cut off exit liquidity.
- **Eradication:** Bedrock team eventually paused the `NATIVE_BTC` vault globally.
- **Recovery:** Communications issued to stakeholders; ongoing work to restore the peg and compensate providers.
## Lessons Learned
- **Redundancy in Communication:** Relying on X (Twitter) DM for critical vulnerabilities is insufficient. Teams must provide 24/7 emergency contact triggers (e.g., PagerDuty) for whitehats.
- **Multi-Chain Surface Area:** Deploying the same code across 8 chains multiplies the attack surface; security monitoring must be unified across all deployments.
- **Ecosystem Cooperation:** The SEAL 911 intervention and the quick response from Pendle/Corn were the only reasons the protocol didn't suffer a $75M total collapse.
## Recommendations
- **Emergency Pause Mechanisms:** Implementation of automated "circuit breakers" if exchange rates deviate significantly from an oracle price.
- **Rigorous Auditing/Fuzzing:** The simplicity of the `mint()` bug suggests that automated fuzzing during the CI/CD pipeline would have identified the 1:1 ETH/BTC parity issue.
- **Formalized IR Plan:** Dedicate specific personnel to "on-call" rotations to ensure the 2-hour delay between discovery and exploit does not happen again.