About  Project Blog Resources

Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Bedrock vulnerability disclosure and actions- 1506

DedaubPosted 1 Year Ago
  • Bedrock protocol is a liquid staking protocol for various assets, one of which is Bitcoin.
  • The Dedaub team discovered an issue in the protocol then messaged the developers on Twitter about it. Eventually, after not getting a response for 20 minutes, they messaged SEAL 911 to create a war room to contain the issues. During the two hours of the war room, the vulnerability was exploited for 2M. In reality, this was fine because the third-party protocols that could have been rugged were contacted and turned off the functionality.
  • At first glance, 20 minutes is too aggressive to escalate to a third party outside the company. The Twitter message at the bottom of the has a response of "please don't ignore me" after three minutes, which seems fast. Somebody could just be in the shower or sleeping. However, given that it was immediately exploited, it seems warranted. To me, it's weird that two groups found the same vulnerability for a live contract at the same time.
  • The vulnerability was in the mint() function. On the BTC vault, there was a 1 to 1 mapping from Ethereum to BTC. Since BTC is much more expensive, performing this trade would result in an instant profit to the attacker. Although the BTC contract couldn't be called directly, the vault was a trusted minter that could still trigger this.
  • Fairly simple bug but it's always interesting to see the incident response on them!

Maxwell DulinEmail me!TwitterGithubAdminBlog RSS FeedResources RSS Feed