defirisk.co
rubric v1.7.0

Bedrock (uniBTC vault): Unregistered NATIVE_BTC in SigmaSupplier → disabled supply cap → ETH-to-BTC 1:1 minting (infinite mint)

Bedrock lost $2M when an unaudited uniBTC vault upgrade failed to register BTC as a native asset, letting anyone mint 1 uniBTC per 1 ETH deposited — a 20x price gift — across 8 chains.

Occurred 2024-09-25 Loss $2M Status closed

Summary #

Bedrock (uniBTC vault) suffered a Liquid Restaking / Multi-asset Staking on 2024-09-25, resulting in a loss of approximately $2M.

What happened #

Bedrock lost $2M when an unaudited uniBTC vault upgrade failed to register BTC as a native asset, letting anyone mint 1 uniBTC per 1 ETH deposited — a 20x price gift — across 8 chains.

Linked factors #

  • RD-F-001 — causal : ★ Audit scope mismatch — alternate field name [via dashboard_risk_factors/Exploited code in scope?: No — unaudited upgrade]
  • RD-F-004 — causal : Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Unaudited post-upgrade code]
  • RD-F-006 — causal : Audit-deploy gap — alternate field name [via dashboard_risk_factors/Code newly deployed/upgraded?: Yes — uniBTC vault was a recently deployed/upgraded contract that was not audited] || Time between audit end and deploy [via cross-hack: Factor 4: Newly Deployed or Unannounced Contract] || Time between audit end and deploy [via cross-hack: Factor 21: Post-Audit Code Change Without Re-Audit]
  • RD-F-007 — related : Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: None active at time of exploit; Bedrock invited attacker to become white-hat post-hack]
  • RD-F-076 — causal : Protocol age (days since first mainnet deploy) [via cross-hack: Factor 35: Protocol Age < 2 Weeks at Time of Hack]
  • RD-F-099 — illustrative : Oracle price deviation > X% from secondary source — RT signal would have fired [via realtime_signals/Oracle anomaly (Y/N): Y — uniBTC price crashed on multiple pairs (detectable post-facto)]
  • RD-F-139 — causal : ★ Post-audit code changes deployed without re-audit [via cross-hack: Factor 21: Post-Audit Code Change Without Re-Audit]
  • RD-F-141 — related : Test-mode parameters left on in deploy (possibly related) [via cross-hack: Factor 4: Newly Deployed or Unannounced Contract]
  • RD-F-146 — related : New deploys in last 30 days (fresh attack surface) [via cross-hack: Factor 4: Newly Deployed or Unannounced Contract]