BlockThreat - Week 39, 2024
Bedrock | Onyx | Truflation | ReHold | EtherFi
Greetings!
Almost $8M was stolen across 8 incidents ranging from smart contract exploits and private key theft to malicious insiders and web2 infra hacking attempts. Let’s explore a few of the most interesting ones:
Bedrock almost caused a DeFi meltdown last week after their uniBTC token mistakenly enabled the use of native tokens for minting. The single uninitialized variable allowed one to reach the following minting function designed to exchange other BTC-like assets, like cbBTC, for uniBTC at 1:1 rate:
/**
* @dev mint uniBTC with native BTC
*/
function mint() external payable {
require(!paused[NATIVE_BTC], "SYS002");
_mint(msg.sender, msg.value);
}Bad actors could easily borrow ETH to exchange for uniBTC at a 1:1 rate!
Luckily Dedaub detected the vulnerability shortly after the contract deployment and kicked off the incident with SEAL 911 team.
2024-09-25 06:17 - Vulnerable vault deployed on Ethereum and other chains [tx].
2024-09-26 16:00 - Dedaub discovered the vulnerability.
2024-09-26 16:27 - Dedaub reached out to Bedrock about the vulnerability.
2024-09-26 16:41 - SEAL 911 War Room started.
2024-09-26 18:28 - First exploit transaction [tx].
2024-09-26 18:34 - Bedrock IR team notified [link].
2024-09-26 18:44 - First copycat exploit [tx].
2024-09-26 18:54 - Even more copycats exploiting [tx].
2024-09-26 21:03 - Vault paused [tx].
2024-09-27 01:39 - Bedrock makes a public announcement of the hack [link].
Some observations:
Dedaub and SEAL 911 had trouble reaching Bedrock to share the bug pre-hack and during active exploitation. Easily accessible security contact and actively monitored incident notification channel could have made this incident just an urgent vulnerability report.
Not only was the short 2-hour window lost before the hacking began, but another 3 hours were lost before the team finally hit the pause button. If the team was indeed notified at 18:34 there is no reason to wait so long to pause the vulnerable contract. The delay invited dozens of copycats to methodically drain pools across six chains. Pause first, ask questions later!
Was there any security monitoring at all to catch minting anomalies, pools being drained, anything suspicious? Probably not or it could be even worse where security alerts went into an unmonitored mailbox.
We make mistakes all the time. The Bedrock deployment script made a mistake that audits could not catch. However, the $2M lost in this incident was simply due to not having a security process to collect and react to security alerts. At least SEAL saved the day by helping halt $70M+ in pools with uniBTC.
Speaking of unnecessary hacks, Onyx Protocol was hacked again for $3.8M with the Compound bug that already cost them $2M about a year ago. The issue here is a lack of process and/or knowledge of your code base. A simple playbook on how to safely deploy new cTokens would have saved their day.
When I first got into blocksec, I was (and still am) fascinated by beautiful attack vectors. If only we could get as many audits as possible to find those pesky oracle bugs or stop reentrancy, we would be safe, right? To a degree. I am starting to realize we may need to zoom out and start teaching DeFi projects the basics of security programs, the fundamentals of security threats, detecting and responding to incidents, and just a healthy degree of paranoia that all of those audits are not enough. I am excited to share more at The State of DeFi Security talk at the DeFi Security Summit in November.
To gain access to comprehensive vulnerability write-ups, post-mortems, exploit proof of concepts (PoCs), attacker addresses, and additional data regarding this week’s compromises, please subscribe to the premium plan below.
Let’s dive into the news!