Bedrock DeFi hacked for $1.7M uniBTC through smart contract exploit

Bedrock DeFi, a Bitcoin-based DeFi protocol with a wrapped asset, was drained of $1.7M. The theft of uniBTC happened just a day after an attack against Onyx Finance. 

Bedrock DeFi was exploited for $1.7M in uniBTC, as the restaking pool was drained through a smart contract exploit. After researching the attack, Bedrock shut down the problematic smart contract, avoiding further exploits. The hacker was able to mint uniBTC with no limits, potentially exposing all related pools and trading pairs.

The exploit was initially discovered by the Dedaub analysis team, who immediately tried to contact Bedrock developers. However, less than three hours later, another attacker applied that knowledge and created excess uniBTC.

Bedrock DeFi announced that the exploit only affected uniBTC, another tokenized form of BTC. The underlying reserves remain safe, and the protocol has resolved the issue. The platform holds more than $243M in assets staked from various networks, including Bitcoin and Ethereum. Bedrock DeFi aimed to offer multi-chain liquid re-staking, where idle assets could earn passive income. 

The tokenized uniBTC asset is an ERC-20 contract on the Ethereum chain. The wrapped BTC is held in 3,552 addresses and has a total market cap of $75.4M. Soon after the exploit, some of the decentralized pairs saw extraordinary action. 

Versions of uniBTC exist on a total of eight networks, and some protocols like Pendle have exposure up to $30M to the asset, tied with Corn protocol. A similar vulnerable contract for minting uniBTC was creating threats on Ethereum, Binance, Arbitrum, Optimism mainnet, Mantle, Mode, BOB, and ZetaChain. Researchers from Dedaub warned Pendle, which saved most of the value locked from being exploited as exit liquidity.

The uniBTC hack caused some contagion on decentralized exchanges. One of the Uniswap V3 pools saw the price crash to $17,889.15, while another pair traded at a smaller discount at $62,311.48. The Optimism version of the decentralized pair crashed by 90% to under $18,000. The asset even reached a new low of $5,741.48. Selling pressure dominates, preventing attempts at arbitrage, due to the low liquidity of the pairs. 

The actual swap rate crash may have hurt the protocol more, also inflicting reputational damage. Hours after the hack, uniBTC had not recovered its parity with WBTC, which makes up most of the trading pairs. 

As with other exploits, fake comments on social media called for using a revocation website. Wallet users face additional risks from those malicious links, which could drain the remaining assets. 

Hacker exploited Bedrock’s call to uniBTC contract 

The exploit affected the tokenized wrapped uniBTC, which has backing in actual BTC and WBTC. Researchers like Dedaub claimed they had noticed the potential function to exploit Bedrock, but the hack happened hours after the warning.

Dedaub noted a malicious actor could create infinite uniBTC and attack vaults and decentralized pairs. The attack potentially affected Pendle and Corn, in addition to Bedrock DeFi. The exploiter could deposit a small amount of ETH and mint uniBTC at a disparate exchange rate. The newly minted asset would be fully transferable and could be resold for more WBTC on Uniswap or other decentralized protocols. 

Another researcher, Chaofan Shou, pointed out the uniBTC contract was vulnerable to a function call. The sum at risk was precisely drained a few hours before the analysis. 

You could use ItyFuzz to generate a fully functional exploit that steals up to $1.7M from @Bedrock_DeFi uniBTC.

And all it takes is a CPU core + 0.5s. pic.twitter.com/SMMD1MSbvT

— Chaofan Shou (@shoucccc) September 27, 2024

Calls to smart contracts remain one of the biggest risks, especially after boosting the value locked in DeFi protocols. The attack against Bedrock DeFi happened while the protocol’s total value locked was near an all-time high of $243M.

What saved the protocol was the non-custodial nature of the staking, which allowed the hacker to steal the wrapped asset and affect DEX liquidity pools, but not the underlying reserves. Wrapped BTC often uses cold wallets and is not easily swappable back to the original asset. 

Bedrock uses Babylon Labs and Eigen Layer to achieve its reward structure. Those protocols are securely unlocking the value of BTC and ETH, without exposing the assets directly to risk. The uniBTC created could also be used on Pendle and Velodrome to achieve passive returns. 

Most of the attacks in the past weeks have been against Ethereum-based DeFi. The current attack affected a Bitcoin-derivative asset, though one still using the Ethereum blockchain for the bulk of value transfers.

Cryptopolitan reporting by Hristina Vasileva