Bedrock Vulnerability Allows Hacker To Drain $2M From UniBTC Liquidity Pools

Bedrock, a liquid restaking protocol, confirmed it suffered a security exploit, resulting in a loss of approximately $2 million from its synthetic Bitcoin token, uniBTC.

On Sept. 27, Bedrock tweeted that hackers exploited a vulnerability in its smart contracts, allowing them to mint Bedrock’s uniBTC — an ERC-20 token backed by Bitcoin — against ETH.

After spotting the vulnerability, the hacker drained Bedrock’s liquidity pool of its uniBTC liquidity pool to make off with a roughly $2 million gain. Most of the losses were suffered by liquidity providers for decentralized exchanges.

UniBTC last changed hands for roughly $36,000, equating to a 55% discount compared to the price of Bitcoin.

Reimbursement plan

Bedrock said that the issue has been "handled" and all of the Bitcoin backing uniBTC are safe.

"A comprehensive reimbursement plan is being finalized and will be shared shortly together with a post-mortem report," the team said. “Rest assured that all uniBTC held by users are safe.”

Bedrock reached out to the hacker through an on-chain message.

The protocol extended an offer for the attacker to work as a white hat hacker to help identify vulnerabilities with the protocol. Bedrock also offered a bounty to the hacker in exchange for returning the assets they swindled.

“We would like to communicate with you inviting you to become a white hat for the recent incidence,” Bedrock asked in the message. “Would you be interested in working with us and making the protocol more secure? And we are happy to work on a reward for your help.”

At the time of writing, the hacker had not responded to Bedrock's offer, nor had Bedrock responded to The Defiant’s request to comment.

Bedrock boasts a total value locked (TVL) of $243 million, up 567% year-to-date, according to DeFi Llama.

Hacks and Scams Surge in 2024

The Bedrock exploit comes as exploits targeting web3 protocols is on the rise.

Web3 cybersecurity firm Cyvers reported that losses from hacks and scams for the first three quarters of a calendar year hit an all-time high of $2.1 billion in 2024.

However, the total cryptocurrency market capitalization surged 121% over the past 12 months to $2.38 billion from $1.08 trillion on Sept. 27, 2023, meaning the value of stolen assets has consistently risen with the markets.

Cyvers said centralized finance (CeFi) platforms were hit harder than their decentralized counterparts, with a 984% year-on-year increase in losses.