Summary
uniBTC is a synthetic Bitcoin liquid restaking token issued by Bedrock protocol, enabling wBTC holders to earn BTC-native yield via the Babylon staking protocol while retaining liquidity. In September 2024, a critical minting vulnerability in multiple uniBTC vault smart contracts across eight blockchains was exploited for approximately $2 million after a third-party security firm disclosed the flaw hours before the attack. Post-incident forensics by Fuzzland, disclosed in June 2025, attributed the exploit to an insider threat — a former employee who embedded malware into Fuzzland's internal codebase and used privileged access to execute the attack; Bedrock has since integrated Chainlink Proof of Reserve and expanded to multiple new chains.
Connected Entities
1 entitiesTimeline(15 events)
2024-06-12
Blocksec conducts initial audit of uniBTC contracts.
2024-09-04
Alleged insider (later identified as a former Fuzzland employee) modifies Cargo.toml to include malicious Rust crate 'rands', embedding malware in Fuzzland workstations.
2024-09-25
Vulnerable uniBTC vault contract deployed approximately 36 hours before the exploit.
2024-09-26
16:00 UTC — Dedaub discovers and confirms the critical infinite-mint vulnerability in uniBTC vault contracts across 8 chains.
2024-09-26
16:27 UTC — Dedaub reports vulnerability to Bedrock via Twitter. 16:41 UTC — SEAL 911 war room created.
2024-09-26
Emergency call held between Fuzzland and relevant parties to discuss the Dedaub-identified vulnerability. Insider with privileged access participates.
2024-09-26
18:28 UTC — First exploit transaction executes on Ethereum. Attacker mints ~30.8 uniBTC, swaps to WBTC via Uniswap, converts to ~680 WETH, nets ~649.6 WETH (~$1.7M) after repaying flash loan.
2024-09-26
Bedrock coordinates with Pendle Finance to disable uniBTC exposure, protecting over $30M in liquidity. Vulnerable vaults paused across 8 chains.
2024-09-27
Bedrock publicly acknowledges exploit. Estimates total losses at approximately $2 million, primarily in DEX liquidity pools. Announces reimbursement plan.
2024-09-27
Stolen funds routed through Tornado Cash mixing service.
2024-09-28
Bedrock publishes post-mortem report via X (@Bedrock_DeFi). Extends job offer to attacker; no response publicly reported.
2024-09-29
Bedrock announces Chainlink Proof of Reserve Secure Mint integration as primary security remediation. PeckShield conducts post-incident audit (completed October 1, 2024). Blocksec conducts second audit (completed October 30, 2024).
2025-02-05
Bedrock contributes approximately 1,000 uniBTC to Berachain's Boyco campaign; Boyco TVL reaches $3 billion.
2025-06-26
Fuzzland publishes transparency report disclosing that a former employee was behind the September 2024 exploit using supply chain malware, social engineering, and privileged access. Fuzzland accepts full responsibility and states all affected parties were reimbursed.
2025-09-04
Bedrock launches uniBTC and brBTC on the Aptos blockchain, reporting nearly $700M in TVL and over 5,000 BTC staked across 15+ chains.
Decision Log
- hash: Jfvm3mfnou3twAqyqFTUkjKW6frety37kV4xZwpXhzi
This investigation is cryptographically anchored to the Solana blockchain and source URLs are archived via the Internet Archive.
model: claude-sonnet-4-6
generated: 5/4/2026, 2:54:28 AM
last updated: 5/28/2026, 3:28:42 AM
avoid.net — verified advice for a post-truth world