BPOI Banner
Staking Protocol Bug Let Users Swap One Bitcoin for One Ethereum Staking Protocol Bug Let Users Swap One Bitcoin for One Ethereum

Staking Protocol Bug Let Users Swap One Bitcoin for One Ethereum

A security exploit on staking protocol Bedrock allowed users to swap Universal Bitcoin, a wrapped Bitcoin on the platform, with Ethereum at a 1:1 ratio, despite a price difference of more than $60,000.

The exploit, which has now been “handled,” resulted in an estimated $2 million being swiped from the protocol, mostly from decentralized exchange liquidity pools. The staking protocol said it is working to recover the lost funds, that a reimbursement plan is being “finalized,” and that it will share proof-of-reserves “once it is available.”

Dedaub, the staking protocol’s security firm, had notified Bedrock of the vulnerability hours prior to the attack—but most of the team was asleep, so couldn’t act in time. The vulnerability came about as part of a contract upgrade that took place 36 hours before the attack, which mismatched the exchange rate between Ethereum and Bitcoin.

Bedrock has yet to respond to Decrypt’s query on why the contract wasn’t audited prior to going live.

In many ways, the protocol was fortunate that only $2 million was taken. As explained by Dedaub, the exploit was an “infinite-mint vulnerability” on the uniBTC token, meaning that the entire protocol’s funds could have been drained. However, in collaboration with white hat group Seal 911, the potential losses were minimized by pausing third party protocols exposed to at-risk funds.

“We want to inform you that the Bedrock team is aware of a security exploit involving uniBTC. The issue has been handled and funds are SAFU.” Bedrock posted on Twitter over six hours after it was highlighted on Twitter, “At this time, no extra actions are required from our community. Rest assured that all uniBTC held by users are safe.”

At the time of writing, uniBTC is worth $63,450 while Ethereum is just $2,660, according to CoinGecko. That means for every uniBTC that the attacker minted they would have profited over $60,000.

The initial wallet was funded by Tornado Cash, a crypto mixer sanctioned by the U.S. Treasury, before performing the exploit at 6:28 p.m. UTC on Thursday to the tune of $1.8 million. It then sent the appropriated funds to a new wallet that now holds 650 ETH ($1.73 million). Both addresses later received blockchain messages from the Bedrock deployer address.

“We would like to communicate with you inviting you to become a white hat for the recent incidence,” the message reads. “Would you be interested in working with us and making the protocol more secure? And we are happy to work on a reward for your help.”

White hat hackers use their skills to help boost the security of platforms by identifying exploits. There are countless examples of crypto protocols losing millions in attacks for the funds to later be returned, in a white hat rescue pivot.

For now, however, this does not seem to be the case for Bedrock, as the wallet holding the stolen funds is inactive.

Edited by Stacy Elliott.

Daily Debrief Newsletter

Start every day with the top news stories right now, plus original features, a podcast, videos and more.



Source link

Ryan Gladwin

https://decrypt.co/283440/staking-protocol-bug-let-users-swap-one-bitcoin-for-one-ethereum

2024-09-27 13:32:58

bitcoin
Bitcoin (BTC) $ 91,239.45 3.47%
ethereum
Ethereum (ETH) $ 3,150.86 2.37%
tether
Tether (USDT) $ 1.00 0.01%
solana
Solana (SOL) $ 220.97 5.96%
bnb
BNB (BNB) $ 624.84 0.47%
dogecoin
Dogecoin (DOGE) $ 0.378608 2.41%
xrp
XRP (XRP) $ 0.913376 10.09%
usd-coin
USDC (USDC) $ 0.99989 0.01%
staked-ether
Lido Staked Ether (STETH) $ 3,149.25 2.30%
cardano
Cardano (ADA) $ 0.737891 23.23%
tron
TRON (TRX) $ 0.189822 6.38%
shiba-inu
Shiba Inu (SHIB) $ 0.000025 7.48%
avalanche-2
Avalanche (AVAX) $ 34.43 9.10%
the-open-network
Toncoin (TON) $ 5.43 3.19%
wrapped-steth
Wrapped stETH (WSTETH) $ 3,714.53 1.84%
wrapped-bitcoin
Wrapped Bitcoin (WBTC) $ 91,118.41 3.59%
sui
Sui (SUI) $ 3.87 21.67%
pepe
Pepe (PEPE) $ 0.000023 8.15%
weth
WETH (WETH) $ 3,155.65 2.45%
chainlink
Chainlink (LINK) $ 14.26 8.74%
bitcoin-cash
Bitcoin Cash (BCH) $ 434.26 3.40%
polkadot
Polkadot (DOT) $ 5.25 8.37%
near
NEAR Protocol (NEAR) $ 6.10 12.24%
leo-token
LEO Token (LEO) $ 7.76 4.29%
aptos
Aptos (APT) $ 12.48 8.93%
litecoin
Litecoin (LTC) $ 83.75 2.47%
wrapped-eeth
Wrapped eETH (WEETH) $ 3,312.08 2.20%
uniswap
Uniswap (UNI) $ 8.81 8.23%
usds
USDS (USDS) $ 0.994887 0.73%
crypto-com-chain
Cronos (CRO) $ 0.168688 6.63%
stellar
Stellar (XLM) $ 0.145269 7.05%
internet-computer
Internet Computer (ICP) $ 9.04 12.88%
bittensor
Bittensor (TAO) $ 535.96 6.33%
dogwifcoin
dogwifhat (WIF) $ 3.91 11.30%
kaspa
Kaspa (KAS) $ 0.14075 6.24%
ethereum-classic
Ethereum Classic (ETC) $ 23.58 6.26%
fetch-ai
Artificial Superintelligence Alliance (FET) $ 1.32 8.00%
dai
Dai (DAI) $ 0.999775 0.03%
whitebit
WhiteBIT Coin (WBT) $ 22.30 0.77%
ethena-usde
Ethena USDe (USDE) $ 1.00 0.07%
bonk
Bonk (BONK) $ 0.000044 26.91%
polygon-ecosystem-token
POL (ex-MATIC) (POL) $ 0.379814 6.09%
hedera-hashgraph
Hedera (HBAR) $ 0.078807 17.82%
blockstack
Stacks (STX) $ 1.94 6.83%
render-token
Render (RENDER) $ 7.35 11.86%
monero
Monero (XMR) $ 144.09 3.05%
okb
OKB (OKB) $ 44.19 1.81%
first-digital-usd
First Digital USD (FDUSD) $ 1.00 0.18%
floki
FLOKI (FLOKI) $ 0.000265 24.42%
aave
Aave (AAVE) $ 169.45 8.86%