On September 26, 2024, the Bedrock DeFi protocol, a liquid restaking platform, was attacked, resulting in an approximate $1.7M loss on the Ethereum mainnet. The hack targeted the Vault contract, which controls the minting of the uniBTC token.
Overview
Attacker: https://etherscan.io/address/0x2bfb373017349820dda2da8230e6b66739be9f96
Vulnerable Contract: https://etherscan.io/address/0x047d41f2544b7f63a8e991af2068a363d210d6da
Transaction attack: https://etherscan.io/tx/0x725f0d65340c859e0f64e72ca8260220c526c3e0ccde530004160809f6177940
Exploit Analysis
Looking at the exploit transaction, we can observe that after borrowing 30.8 WETH from the Balancer Vault using flashloan, the attacker's contract converted it all to native ETH and transferred it to Bedrock DeFi's Vault contract, ultimately leading to the minting of 30.8 uniBTC tokens.
Checking the source code of the Vault contract, we can clearly see that this contract expects the native token to be BTC. However, since this contract is deployed on the Ethereum chain, it produces an incorrect conversion ratio (1:1) between uniBTC and ETH, which is a simple but critical error.
Lesson learned
For contracts that control the minting or holding of tokens, even a minor error can result in significant security vulnerabilities. Therefore, conducting a security audit before deploying contracts in the production environment is critically important.
