Bedrock’s crypto liquid restaking platform has fallen victim to a security exploit projected to force a hemorrhage of about $2 million. In a surprising twist, the attacker has since been offered a position to help secure the system they compromised.
The vulnerability, found by Web3 security firm Dedaub on Sept. 26, involved a weakness in Bedrock’s uniBTC vaults. After disclosure, however, Dedaub said the vulnerability was reported to the protocol, which took no immediate measures to neutralize the threat.
⚠️Important Announcement from the Bedrock Team
We want to inform you that the Bedrock team is aware of a security exploit involving uniBTC. The issue has been handled and funds are SAFU.
We want to reassure everyone that the underlying wrapped BTCs and BTCs in reserves are…
— Bedrock | Bitcoin Restaking LIVE (@Bedrock_DeFi) September 27, 2024
While the exploit caused a loss of $2 million, the hacker could have stolen up to $75 million. Bedrock didn’t publicly disclose the incident until Sept. 27, along with a reimbursement strategy to compensate its affected investors. The protocol has also highlighted that it is collaborating with audit teams and white-hat hackers to attempt to recover the stolen money.
Bedrock also attempted to contact the attacker using an on-chain message, according to Etherscan, a service that lets users analyze activity on the Ethereum blockchain.
Bedrock Protocol Offers $2 Million Bounty to Hacker
Crypto restaking protocol Bedrock has reached out to a hacker following a $2 million security breach of its uniBTC vault with an offer of a reward. Up until that time, no reaction from the attacker had been received.
The Bedrock team, however, sought to reassure its users that the remainder of the funds in its platform was safe and confirmed plans to resume staking on uniBTC contracts when the identified vulnerability has been fully addressed.
The strategy is similar to that in a comparable event in which crypto lender Shezmu recently retrieved nearly $5 million from the hacker after negotiations on the chain.
Upon discovering that its ShezmuUSD stablecoin, ShezUSD, the vault had been exploited, Shezmu at first promised a 10% bounty if the proceeds of the stolen money were returned with no legal consequences. The hacker, however, persisted and asked for 20%, which Shezmu eventually agreed to.
Dear White Hat,
The Shezmu team is offering a 10% bounty of the exploited funds, provided that the remaining funds are returned within the next 24 hours. If the funds are not refunded within this time frame, we will escalate the matter through legal channels.…
— Shezmu (@ShezmuTech) September 20, 2024
Shezmu Recovers Stolen Funds After Onchain Negotiation with Hacker
After successful on-chain negotiations, crypto lender Shezmu started receiving the stolen funds from the hacker who had initially exploited the stablecoin vault of ShezmuUSD (ShezUSD).
After their blockchain negotiation, the hacker started returning the stolen Dai tokens into Shezmu’s wallet. It began with the hacker returning 282.18 Ether to the protocol, later transferring another 137 Wrapped Ether.
This recovery came after Shezmu agreed to raise the bounty from 10% to 20% of the illicitly transferred money; thus, nearly $5 million in assets were returned.
