Bedrock SigmaSupplier uniBTC Forging Exploit

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Jump to navigation Jump to search

Notice: This page is a freshly imported case study from an original repository. While the original content had a similar format, some sections may not have been fully completed. Please help fill in any empty sections or any missing information you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

Bedrock Technology Logo/Homepage

[1][2][3][4][5][6][7][8][9][10][11][12][13]

About Bedrock Technology

"The world's first multi-asset liquid restaking protocol."

"Bedrock is a multiple asset liquid restaking protocol, that backed by non-custodial solution designed in partnership with RockX, a longstanding blockchain infrastructure company with strong roots in crypto staking."

"uniBTC [is a] brand new restaking protocol that accept wrapped BTC tokens partnership with the BTC staking protocol Babylon chain, the first supported wrapped BTC is wBTC token on Ethereum blockchain, so all the wBTC token holders will enjoy both yield on staking BTC tokens plus the security of Ethereum network."

"The uniBTC contracts are designed to enable users to convert their BTC assets into an equivalent amount of uniBTC tokens. By design, minting uniBTC using native tokens on non-native BTC chains should NOT be allowed, as the native token no longer represents native BTC."

The Reality

A "vulnerable contract was deployed across eight different chains: Ethereum, BNBChain, Arbitrum, Optimism, Mantle, Mode, BOB, and ZetaChain."

What Happened

"On Sep-26-2024 06:28:23 PM UTC, a vulnerability in the uniBTC smart contract was exploited, allowing the exploiter to mint 30.8 uniBTC and swap them for wBTC in Uniswap pools."

Key Event Timeline - Bedrock SigmaSupplier uniBTC Forging Exploit
Date Event Description
September 25th, 2024 12:17:00 AM MDT Vulnerable Code Deployed Vulnerable code is deployed to the Bedrock smart contract.
September 26th, 2024 12:28:23 PM MDT Time Of Exploit Transaction The exact time of the exploit on the blockchain.
September 26th, 2024 5:15:00 PM MDT Debaub Report On Exploit Debaub announces that their team reported a critical issue on the Bedrock protocol, which was ultimately exploited some hours later. "Vulnerability was in minting uniBTC, a ~$75m asset (on Ethereum alone, plus much more on 8+ other chains)."
September 26th, 2024 7:39:00 PM MDT Bedrock Is Aware Now Bedrock sends out a public notice that they are "aware of a security exploit involving uniBTC"
September 27th, 2024 7:16:51 AM MDT Chainlink Proof Of Reserve The Bedrock protocol announces the implementation of a Proof of Reserves protocol provided by Chainlink. "As the industry standard, Proof of Reserve will secure our minting function, providing users with cryptographic guarantees around asset reserves."
September 27th, 2024 10:20:16 AM MDT Bedrock Post-mortem Published
September 30th, 2024 12:24:00 PM MDT Rekt Investigation Tekt News starts their investigation of the incident.
October 1st, 2024 3:18:00 AM MDT Bitcoin Restaking Live The Bedrock team announces that they are "pleased to announce all uniBTC contracts have been resumed, and you can begin staking bitcoin on @babylonlabs_io with Bedrock NOW".

Technical Details

"The uniBTC contracts are designed to enable users to convert their BTC assets into an equivalent amount of uniBTC tokens. By design, minting uniBTC using native tokens on non-native BTC chains should NOT be allowed, as the native token no longer represents native BTC."

"The handling of native tokens differs from wrapped tokens because msg.value is already transferred into the contract. As a result, the check on Line 170 does not need to account for the _amount transferred, unlike the check on Line 184. Therefore, if the cap is set to 0, the mint function will revert for native tokens.

The vulnerability lies within the SigmaSupplier (Sigma) contract.

First, tokens must be registered to be included in the current total balance of native or wrapped BTC tokens. Second, if a token is not registered, the contract returns 0, meaning it cannot be found in the tokenHolders variable. The following figure shows that only FBTC, WBTC, and cbBTC have been registered, while NATIVE_BTC has NOT. On one hand, NATIVE_BTC should NOT be registered in this contract, as it is not intended to be supported. On the other hand, failing to register NATIVE_BTC results in the totalSupply always being ZERO, which contradicts the caps restriction mechanism.

Since the total supply at that time was ZERO instead of reflecting the msg.value received by the contract, the check the Vault contract passed, allowing the minting of uniBTC using native tokens on non-native BTC chains.

Therefore, on a non-native BTC chain, replacing the balance with the total supply is acceptable for wrapped BTC tokens but problematic for native tokens."

Total Amount Lost

The total amount lost has been estimated at $2,000,000 USD.

How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?

Immediate Reactions

"In response, we paused the vulnerable contract and implemented a fix to mitigate the vulnerability, which was later confirmed to have affected approximately $2 million in liquidity, primarily within the Uniswap pool."

"The multi-chain liquidity re-staking protocol Bedrock announced on social media that the team is aware of a security vulnerability involving uniBTC, with the total estimated loss from the theft around $2 million. According to the SlowMist security team’s analysis, the attack was caused by Bedrock mistakenly supporting the minting of uniBTC at a 1:1 exchange rate with the native token."

"We want to inform you that the Bedrock team is aware of a security exploit involving uniBTC. The issue has been handled and funds are SAFU.

We want to reassure everyone that the underlying wrapped BTCs and BTCs in reserves are secure. The total estimated impact of the exploit is approximately $2 million (mostly in DEX LPs). The root cause has been identified and we are taking steps to address it. A comprehensive reimbursement plan is being finalized and will be shared shortly together with a post-mortem report.

Bedrock is collaborating closely with audit teams and white hats to recover the lost funds. A Proof of Reserves will be shared once it is available to ensure transparency.

At this time, no extra actions are required from our community. Rest assured that all uniBTC held by users are safe."

Ultimate Outcome

"Bedrock is integrating @chainlink Proof of Reserve to enhance security and help prevent future exploits.

As the industry standard, Proof of Reserve will secure our minting function, providing users with cryptographic guarantees around asset reserves."

Total Amount Recovered

There do not appear to have been any funds recovered in this case.

What funds were recovered? What funds were reimbursed for those affected users?

Ongoing Developments

What parts of this case are still remaining to be concluded?

Individual Prevention Policies

No specific policies for individual prevention have yet been identified in this case.

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

Policies for platforms to take to prevent this situation have not yet been selected in this case.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

No specific regulatory policies have yet been identified in this case.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. Rekt - Bedrock - Rekt (Accessed Oct 1, 2024)
  2. SlowMist Hacked - SlowMist Zone (Accessed Oct 1, 2024)
  3. @dedaub Twitter (Accessed Oct 1, 2024)
  4. @Bedrock_DeFi Twitter (Accessed Oct 1, 2024)
  5. @Bedrock_DeFi Twitter (Accessed Oct 1, 2024)
  6. Post Mortem Report — Bedrock (Accessed Oct 1, 2024)
  7. Bedrock: World's first multi-asset liquid restaking protocol (Accessed Oct 1, 2024)
  8. Introducing Bedrock | Bedrock (Accessed Oct 1, 2024)
  9. Audit reports | Bedrock (Accessed Oct 1, 2024)
  10. @Bedrock_DeFi Twitter (Accessed Oct 1, 2024)
  11. Bedrock Is Integrating Chainlink Proof of Reserve To Natively Se… — Bedrock (Accessed Oct 1, 2024)
  12. @Bedrock_DeFi Twitter (Accessed Oct 1, 2024)
  13. x.com (Accessed Nov 4, 2024)
Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=Bedrock_SigmaSupplier_uniBTC_Forging_Exploit&oldid=6322"