Verify a decision

{"actor":"system:backfill","investigation_id":"115a5a12-8658-46ed-a28a-82a146c39d24","kind":"publish","page_slug":"bedrock-protocol","published_at":"2026-06-01T17:47:04.281Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"Bedrock Protocol","sections":[{"content":"On September 27, 2024, Bedrock Protocol's uniBTC vault was exploited via a critical vulnerability in its minting function. The flawed logic allowed ETH deposits to be converted into uniBTC at a 1:1 ratio, ignoring the substantial price difference between ETH and BTC (Bitcoin was trading roughly $60,000 above ETH at the time). Using this miscalculation, the attacker minted approximately 30.8 uniBTC tokens with minimal ETH outlay, then swapped the inflated uniBTC supply on Uniswap and other DEX liquidity pools, draining roughly $2 million (approximately 650 ETH) in assets. The attacker's address (0x2bFB373017349820dda2Da8230E6b66739BE9F96) was funded through Tornado Cash, and stolen proceeds were subsequently routed through Aave lending contracts before being dispersed across multiple wallets and back through Tornado Cash. The uniBTC contract had been deployed for fewer than two days before the exploit occurred. Security researchers noted the vulnerability could theoretically have allowed drainage of the entire protocol, which had approximately $75 million in total market cap at the time across at least eight blockchains; only $2 million was extracted before operations were paused.","heading":"September 2024 Smart Contract Exploit","severity":"critical","sources":[{"credibility":2,"name":"Decoding What Went Wrong with Bedrock: $2M Exploit — QuillAudits","type":"research","url":"https://www.quillaudits.com/blog/hack-analysis/bedrock-2million-exploit"},{"credibility":2,"name":"Bedrock Vulnerability Allows Hacker To Drain $2M From UniBTC Liquidity Pools — The Defiant","type":"news_article","url":"https://thedefiant.io/news/hacks/bedrock-vulnerability-allows-hacker-to-drain-usd2m-from-unibtc-liquidity-pools"},{"credibility":2,"name":"Liquid Restaking Protocol Bedrock Loses $2 Million in uniBTC Security Exploit — CryptoNews","type":"news_article","url":"https://cryptonews.com/news/liquid-restaking-protocol-bedrock-loses-2-million-in-unibtc-security-exploit/"},{"credibility":2,"name":"UniBtc Hack Analysis — BlockApex","type":"research","url":"https://blockapex.io/unibtc-hack-analysis/"}]},{"content":"Web3 security firm Dedaub identified the critical uniBTC vault vulnerability at approximately UTC 16:00 on September 26, 2024 — roughly 28 hours before the exploit was executed. Dedaub reported the issue to the Bedrock account on Twitter (X) at UTC 16:27, and a SEAL 911 war room was created at UTC 16:41. The first exploit transaction was recorded at UTC 18:28 on September 27. According to reporting, Bedrock's team was largely unavailable to respond in time due to timezone differences. The vulnerability is described by Dedaub as deriving from a flawed exchange-rate path in the uniBTC minting function: a specific code path called `_mint(msg.sender, msg.value)` which minted tokens equal to the ETH `msg.value` without applying any BTC/ETH price conversion. This represents a failure in pre-deployment code review processes, given the contract had gone live fewer than two days before the exploit.","heading":"Vulnerability Disclosure and Pre-Exploit Warning","severity":"critical","sources":[{"credibility":2,"name":"Bedrock Vulnerability Disclosure and Actions — Dedaub","type":"research","url":"https://dedaub.com/blog/bedrock-vulnerability-disclosure-and-actions/"},{"credibility":2,"name":"Hack Explained: Bedrock — Riva North","type":"research","url":"https://rivanorth.com/blog/hack-explained-bedrock"}]},{"content":"In June 2025, smart contract analytics firm Fuzzland publicly alleged that a former employee was responsible for the September 2024 Bedrock exploit. According to Fuzzland's disclosure, the individual gained employment at Fuzzland under the guise of a skilled MEV developer and, while employed, inserted a trojan into Fuzzland's MEV codebase using a malicious Rust crate named `rands`. The backdoor created persistent access to engineering workstations and allegedly remained undetected for weeks. Fuzzland alleges the attacker learned of the uniBTC vulnerability during an internal emergency response call and exploited the information to execute the on-chain attack before Bedrock could patch. Fuzzland stated it compensated Bedrock for its losses using company funds, engaged Web3 security firm zeroShadow to investigate and rule out broader internal collusion, and filed reports with both the FBI and Chinese law enforcement. These allegations have not been independently confirmed through court filings or regulatory records as of the date of this investigation.","heading":"Alleged Insider Threat: Fuzzland Ex-Employee","severity":"high","sources":[{"credibility":2,"name":"Fuzzland Says Ex-Employee Was Behind $2M Bedrock UniBTC Exploit — CoinTelegraph","type":"news_article","url":"https://cointelegraph.com/news/fuzzland-ex-employee-bedrock-unibtc-exploit"},{"credibility":2,"name":"Ex-Employee Hacks Bedrock UniBTC for $2M: Fuzzland Uncovers Insider Exploit — CryptoNews","type":"news_article","url":"https://cryptonews.com/news/ex-employee-hacks-bedrock-unibtc-for-2m-fuzzland-uncovers-insider-exploit/"},{"credibility":3,"name":"Fuzzland Reveals Insider Behind $2M UniBTC Hack at Bedrock — The Shib Daily","type":"news_article","url":"https://news.shib.io/2025/06/26/fuzzland-reveals-insider-behind-2m-unibtc-hack-at-bedrock/"}]},{"content":"Immediately following detection of the exploit, Bedrock paused the uniBTC contract, halting all minting and transfers. The team confirmed that the underlying Bitcoin and wBTC reserves in custody were not directly affected — losses were confined to decentralized exchange liquidity pools. Bedrock publicly committed to a user reimbursement plan and published a post-mortem report via its official X account. The protocol engaged white-hat security teams for fund recovery efforts. Bedrock also announced it was considering airdropping new tokens to affected users and indicated it would take a snapshot of user balances for distribution purposes. Separately, Fuzzland stated in its June 2025 disclosure that it had already compensated Bedrock for the losses from company funds. The full extent of user compensation and the final reimbursement amounts have not been independently verified through on-chain records or third-party audit confirmation as of this investigation.","heading":"Protocol Response and User Compensation","severity":"medium","sources":[{"credibility":2,"name":"Bedrock Post-Mortem Update on uniBTC Security Incident — Bedrock Official X","type":"official","url":"https://x.com/Bedrock_DeFi/status/1839712719630676051"},{"credibility":2,"name":"Liquid Restaking Protocol Bedrock Suffers $2M Loss in Latest Crypto Exploit — CoinSpeaker","type":"news_article","url":"https://www.coinspeaker.com/liquid-restaking-protocol-bedrock-suffers-2m-loss/"},{"credibility":2,"name":"Bedrock Faces $2 Million Loss in uniBTC Security Breach — CryptoTimes","type":"news_article","url":"https://www.cryptotimes.io/2024/09/27/bedrock-faces-2-million-loss-in-unibtc-security-breach/"}]},{"content":"Following the exploit, uniBTC's market price declined sharply as the attacker's dumped supply flooded Uniswap pools. At the time of reporting, uniBTC was trading at approximately $36,000 — a roughly 55% discount to Bitcoin's prevailing spot price. Liquidity across multiple uniBTC trading pairs on Ethereum-based DEXes was substantially drained. Pendle Finance and Corn Protocol, which had integrated uniBTC, proactively paused their own operations upon learning of the vulnerability, limiting spillover to their platforms. The price dislocation and liquidity impairment would have directly impacted users who held uniBTC positions or provided liquidity to uniBTC pools during and after the attack window.","heading":"Market Impact: uniBTC Price and Liquidity","severity":"high","sources":[{"credibility":2,"name":"Bedrock Vulnerability Allows Hacker To Drain $2M From UniBTC Liquidity Pools — The Defiant","type":"news_article","url":"https://thedefiant.io/news/hacks/bedrock-vulnerability-allows-hacker-to-drain-usd2m-from-unibtc-liquidity-pools"},{"credibility":2,"name":"Crypto Staking Platform Bedrock Exploited Via a Bug — Crypto.News","type":"news_article","url":"https://crypto.news/crypto-staking-platform-bedrock-exploited-via-a-bug-users-can-swap-1-eth-for-1-btc/"}]},{"content":"In the days following the September 2024 exploit, Bedrock announced a series of remediation and security enhancement measures. The protocol integrated Chainlink Proof of Reserve (PoR) directly into its minting function, establishing automated on-chain verification that newly minted tokens are fully backed by underlying reserves. This integration was intended to prevent future infinite-mint-style attacks by embedding cryptographic reserve checks as a prerequisite to any token issuance. Bedrock additionally committed to comprehensive third-party smart contract audits, continuous 24/7 monitoring of all smart contracts, and broader improvements to its security response procedures. By September 2025, the protocol reported approximately $700 million in total value locked across 15+ supported chains and had expanded uniBTC and brBTC to the Aptos blockchain, suggesting operational recovery from the incident.","heading":"Security Upgrades Following the Exploit","severity":"low","sources":[{"credibility":2,"name":"Liquid Restaking Protocol Bedrock Adopts Chainlink Proof of Reserve After $2M Exploit — CryptoBriefing","type":"news_article","url":"https://cryptobriefing.com/bedrock-chainlink-integration-security/"},{"credibility":2,"name":"After $2 Million Exploit, Bedrock Turns To Chainlink Proof Of Reserve For Secure Minting — Chainlink Today","type":"news_article","url":"https://chainlinktoday.com/after-2-million-exploit-bedrock-turns-to-chainlink-proof-of-reserve-for-secure-minting/"},{"credibility":1,"name":"Bedrock Launches uniBTC and brBTC on Aptos — PR Newswire","type":"official","url":"https://www.prnewswire.com/news-releases/bedrock-launches-unibtc-and-brbtc-on-aptos-expanding-the-frontiers-of-btcfi-302546744.html"}]},{"content":"Bedrock Protocol was developed by RockX, a Singapore-headquartered blockchain infrastructure company. The protocol was launched in 2023 as the world's first KYC and AML-compliant institutional-grade liquid staking platform, positioning itself as a DeFi-accessible alternative for institutional stakers. Bedrock offers three primary synthetic staking tokens: uniBTC (Bitcoin liquid restaking), uniETH (Ethereum liquid staking), and uniIOTX (IoTeX staking). The protocol describes itself as a non-custodial solution and has received backing from investors including crypto trading firm Amber Group. Zhuling Chen is identified as the CEO and founder of RockX, the parent company behind Bedrock. The protocol operates across multiple EVM-compatible chains and has integrated with various DeFi platforms including Pendle Finance, Corn Protocol, and Berachain.","heading":"Background: Bedrock Protocol and RockX","severity":"low","sources":[{"credibility":2,"name":"RockX Launches New Liquid Staking Platform Bedrock — FFNews","type":"news_article","url":"https://ffnews.com/newsarticle/rockx-launches-bedrock-worlds-first-kyc-and-aml-compliant-institutional-grade-liquid-staking-platform/"},{"credibility":1,"name":"Blockchain Firm RockX Unveils Institutional Liquid Staking Platform — CoinDesk","type":"news_article","url":"https://www.coindesk.com/business/2023/03/15/blockchain-firm-rockx-unveils-institutional-liquid-staking-platform"},{"credibility":1,"name":"Bedrock: World's First Multi-Asset Liquid Restaking Protocol — Official Site","type":"official","url":"https://www.bedrock.technology/"}]}],"sources_used":[{"name":"Decoding What Went Wrong with Bedrock: $2M Exploit — QuillAudits","type":"research","url":"https://www.quillaudits.com/blog/hack-analysis/bedrock-2million-exploit"},{"name":"Bedrock Vulnerability Allows Hacker To Drain $2M From UniBTC Liquidity Pools — The Defiant","type":"news_article","url":"https://thedefiant.io/news/hacks/bedrock-vulnerability-allows-hacker-to-drain-usd2m-from-unibtc-liquidity-pools"},{"name":"Liquid Restaking Protocol Bedrock Loses $2 Million in uniBTC Security Exploit — CryptoNews","type":"news_article","url":"https://cryptonews.com/news/liquid-restaking-protocol-bedrock-loses-2-million-in-unibtc-security-exploit/"},{"name":"Fuzzland Says Ex-Employee Was Behind $2M Bedrock UniBTC Exploit — CoinTelegraph","type":"news_article","url":"https://cointelegraph.com/news/fuzzland-ex-employee-bedrock-unibtc-exploit"},{"name":"Ex-Employee Hacks Bedrock UniBTC for $2M: Fuzzland Uncovers Insider Exploit — CryptoNews","type":"news_article","url":"https://cryptonews.com/news/ex-employee-hacks-bedrock-unibtc-for-2m-fuzzland-uncovers-insider-exploit/"},{"name":"Bedrock Vulnerability Disclosure and Actions — Dedaub","type":"research","url":"https://dedaub.com/blog/bedrock-vulnerability-disclosure-and-actions/"},{"name":"Hack Explained: Bedrock — Riva North","type":"research","url":"https://rivanorth.com/blog/hack-explained-bedrock"},{"name":"Bedrock Post-Mortem Update — Bedrock Official X","type":"official","url":"https://x.com/Bedrock_DeFi/status/1839712719630676051"},{"name":"Liquid Restaking Protocol Bedrock Adopts Chainlink Proof of Reserve After $2M Exploit — CryptoBriefing","type":"news_article","url":"https://cryptobriefing.com/bedrock-chainlink-integration-security/"},{"name":"After $2 Million Exploit, Bedrock Turns To Chainlink Proof Of Reserve — Chainlink Today","type":"news_article","url":"https://chainlinktoday.com/after-2-million-exploit-bedrock-turns-to-chainlink-proof-of-reserve-for-secure-minting/"},{"name":"Hacker Behind $2M Crypto Heist Receives Job Offer — CoinTelegraph","type":"news_article","url":"https://cointelegraph.com/news/bedrock-crypto-hack-2m-attacker-job-offer"},{"name":"Blockchain Firm RockX Unveils Institutional Liquid Staking Platform — CoinDesk","type":"news_article","url":"https://www.coindesk.com/business/2023/03/15/blockchain-firm-rockx-unveils-institutional-liquid-staking-platform"},{"name":"UniBtc Hack Analysis — BlockApex","type":"research","url":"https://blockapex.io/unibtc-hack-analysis/"},{"name":"Bedrock Launches uniBTC and brBTC on Aptos — PR Newswire","type":"official","url":"https://www.prnewswire.com/news-releases/bedrock-launches-unibtc-and-brbtc-on-aptos-expanding-the-frontiers-of-btcfi-302546744.html"},{"name":"Bedrock: World's First Multi-Asset Liquid Restaking Protocol — Official Site","type":"official","url":"https://www.bedrock.technology/"},{"name":"Crypto Staking Platform Bedrock Exploited Via a Bug — Crypto.News","type":"news_article","url":"https://crypto.news/crypto-staking-platform-bedrock-exploited-via-a-bug-users-can-swap-1-eth-for-1-btc/"},{"name":"Bedrock Boosts Security After $2M Exploit With Chainlink Integration and Audits — FX Leaders","type":"news_article","url":"https://www.fxleaders.com/news/2024/09/29/bedrock-boosts-security-after-2m-exploit-with-chainlink-integration-and-audits/"},{"name":"Fuzzland Reveals Ex-Employee Behind $2M Bedrock UniBTC Exploit — StartupNews","type":"news_article","url":"https://startupnews.fyi/2025/06/25/fuzzland-reveals-ex-employee-behind-2m-bedrock-unibtc-exploit/"}],"summary":"Bedrock Protocol is a multi-asset liquid restaking protocol developed by RockX, offering synthetic Bitcoin (uniBTC), liquid-staked ETH (uniETH), and IoTeX staking (uniIOTX). On September 27, 2024, the protocol suffered a critical smart contract exploit in which a flawed minting function allowed an attacker to mint uniBTC tokens at a 1:1 ETH-to-BTC ratio, draining approximately $2 million from DEX liquidity pools. Subsequent investigation by security firm Fuzzland, disclosed in June 2025, alleged that a former Fuzzland employee planted a supply-chain backdoor to execute the attack; Fuzzland stated it compensated Bedrock for losses and reported the matter to law enforcement.","timeline":[{"date":"2023-03-15","event":"RockX publicly unveils Bedrock, a KYC/AML-compliant institutional liquid staking platform, via CoinDesk coverage.","source":"CoinDesk","source_url":"https://www.coindesk.com/business/2023/03/15/blockchain-firm-rockx-unveils-institutional-liquid-staking-platform"},{"date":"2024-09-25","event":"Bedrock deploys the uniBTC vault smart contract on Ethereum, less than 48 hours before it is exploited.","source":"Dedaub / QuillAudits","source_url":"https://dedaub.com/blog/bedrock-vulnerability-disclosure-and-actions/"},{"date":"2024-09-26","event":"Dedaub security team discovers and simulates the uniBTC minting vulnerability at approximately UTC 16:00 and reports it to Bedrock on Twitter at UTC 16:27; a SEAL 911 war room is created at UTC 16:41.","source":"Dedaub","source_url":"https://dedaub.com/blog/bedrock-vulnerability-disclosure-and-actions/"},{"date":"2024-09-27","event":"First exploit transaction is executed at approximately UTC 18:28. Attacker (0x2bFB3730...) mints uniBTC at a 1:1 ETH-to-BTC ratio and drains roughly $2 million from Uniswap and DEX liquidity pools. uniBTC price drops approximately 55% against Bitcoin spot price.","source":"QuillAudits / CryptoNews","source_url":"https://www.quillaudits.com/blog/hack-analysis/bedrock-2million-exploit"},{"date":"2024-09-27","event":"Bedrock pauses the uniBTC contract, halting all minting and transfers. Protocol confirms underlying BTC reserves are safe and commits to a reimbursement plan. Pendle Finance and Corn Protocol also pause operations proactively.","source":"Bedrock Official X / The Defiant","source_url":"https://x.com/Bedrock_DeFi/status/1839712719630676051"},{"date":"2024-09-27","event":"Bedrock offers the attacker a job as a security consultant in an apparent white-hat outreach attempt.","source":"CoinTelegraph","source_url":"https://cointelegraph.com/news/bedrock-crypto-hack-2m-attacker-job-offer"},{"date":"2024-09-29","event":"Bedrock announces integration of Chainlink Proof of Reserve into its minting function as a security upgrade, alongside plans for third-party audits and 24/7 smart contract monitoring.","source":"CryptoBriefing / Chainlink Today","source_url":"https://cryptobriefing.com/bedrock-chainlink-integration-security/"},{"date":"2025-02-01","event":"Bedrock wraps up its Boyco campaign, reporting contribution of 1,000 uniBTC to Berachain's $3 billion TVL, indicating operational recovery.","source":"PR Newswire","source_url":"https://www.prnewswire.com/news-releases/bedrock-wraps-up-boyco-campaign-contributing-1-000-unibtc-to-berachains-3-billion-tvl-302368460.html"},{"date":"2025-06-25","event":"Fuzzland publicly discloses that an alleged former employee planted a supply-chain backdoor (malicious Rust crate `rands`) to execute the September 2024 Bedrock exploit. Fuzzland states it compensated Bedrock for losses, engaged zeroShadow for forensic investigation, and filed reports with the FBI and Chinese law enforcement.","source":"CoinTelegraph","source_url":"https://cointelegraph.com/news/fuzzland-ex-employee-bedrock-unibtc-exploit"},{"date":"2025-09-04","event":"Bedrock announces launch of uniBTC and brBTC on the Aptos blockchain with ~$700 million TVL reported across 15+ chains.","source":"PR Newswire","source_url":"https://www.prnewswire.com/news-releases/bedrock-launches-unibtc-and-brbtc-on-aptos-expanding-the-frontiers-of-btcfi-302546744.html"}]},"v":1}