Background introduction
We have monitored an attack on the Ethereum chain: https://etherscan.io/tx/0x725f0d65340c859e0f64e72ca8260220c526c3e0ccde530004160809f6177940
The attacker made a total profit of 649.6 WETH through this attack, which is about 1.7 million US dollars. The attacked project is Bedrock, a multi-asset liquidity re-hypothecation protocol supported by a non-custodial solution designed in cooperation with RockX. Bedrock supports re-hypothecation/collateralization of multiple assets, including: uniBTC: A new re-hypothecation protocol that accepts wrapped BTC tokens, in cooperation with the BTC collateralization protocol Babylon Chain, the first supported wrapped BTC is the wBTC token on the Ethereum blockchain, so all wBTC token holders will enjoy the benefits of staking BTC tokens and the security of the Ethereum network at the same time. uniETH: Designed for native re-staking and earning additional EigenLayer rewards, Bedrock combines institutional-grade security with additional yield for liquid staking ETH. uniIOTX: The liquid staking solution on the IoTeX blockchain eliminates several of the shortcomings of delegated proof of stake on IOTX.
Attack and incident analysis
First, the attacker borrowed 30.8 WETH through Balancer.
Next, the attacker called the mint function of Bedrock Vault and transferred 30.8 ETH borrowed through flashloan.
Let’s take a look at the logic of the mint function. As shown in the figure below, the _mint function is called.
Next, let’s look at the logic of the _mint function.
Then, the function _amounts is used to calculate the amount of uniBTC that needs to be minted to msg.sender.
Where _amount is the amount of WETH transferred in, and EXCHANGE_RATE_BASE is 1e10, so the exchange ratio is 1:1e8 (because the decimal of uniBTC is 1e8, the exchange ratio is 1 ETH:1 uniBTC). The attacker then exchanged 30.8 uniBTC for 27.8 WBTC through uniswap, with an exchange ratio of about 1:1. Finally, the attacker exchanged the 27.8 WBTC for 680.4 WETH through uniswap, of which 30.8 WETH was repaid. Therefore, the attacker finally made a profit of 649.6 WETH, which is about 1.7M USD.
Summary
The cause of this vulnerability is that the exchange ratio of WETH and uniBTC was not properly handled, resulting in WETH and uniBTC being exchanged at 1:1, and the value of WETH was magnified tens of thousands of times. The attacker used the distorted price to make a profit through lending, and eventually the attacker used the borrowed WETH to empty the project’s uniBTC tokens.
