Bedrock is a multi-asset liquid staking protocol designed to enhance liquidity in the blockchain ecosystem, particularly for institutional investors. Recently, it suffered a significant security breach resulting in the theft of approximately $2 million. The root cause of this exploit stemmed from a vulnerability in the uniBTC smart contract, which allowed attackers to mint tokens uncontrollably.
The exploit occurred on September 27, 2024, when hackers targeted the uniBTC contract, a synthetic Bitcoin token used within Bedrock's offerings. The vulnerability allowed the attackers to mint 30.8 uniBTC, which was then exchanged for Wrapped Bitcoin (WBTC) within a Uniswap pool. Despite prior warnings about potential security issues, Bedrock's response was not swift enough to prevent the exploit. The attackers, reportedly utilising around 125 unique addresses, managed to drain liquidity primarily from decentralised exchange pools.
This incident highlights a critical lesson about security in the DeFi space. The breach's root cause lay in improper handling of token types within the smart contract, emphasising the need for more rigorous security audits.