Hacker behind $2M crypto heist receives job offer from victim protocol

Avatar

Crypto liquid restaking protocol Bedrock lost roughly $2 million in a security exploit. In return, the attacker was offered the job of securing the very protocol it stole from.

On Sept. 26, Web3 security firm Dedaub discovered a smart contract vulnerability in multiple uniBTC vaults of Bedrock. According to Dedaub, the bug was disclosed to Bedrock but no action was taken in response to the threat. The security firm added:

“Unfortunately, even though we found the issue in the smart contract several hours before, by the time the team responded, the vulnerability had been exploited.”

The vulnerability was exploited for approximately $2 million loss. However, the attacker had the opportunity to steal up to $75 million from the uniBTC vaults. 

Source: Bedrock

On Sept. 27, Bedrock acknowledged the hack and said the protocol is developing a reimbursement plan to recoup investors’ losses. Additionally, Bedrock revealed working “with audit teams and white hats to recover the lost funds.”

Trying a new approach to funds recovery

Moreover, Bedrock also tried to contact the hacker through an onchain message found on the Ethereum blockchain analytics platform, Etherscan.

Bedrock offers a white hat job to the hacker. Source: Etherscan

Bedrock asked the hacker:

“We would like to communicate with you inviting you to become a white hat for the recent incidence. Would you be interested in working with us and making the protocol more secure?”

The hacker was also offered a reward for the $2 million uniBTC vault exploit. However, the hacker had not responded to the message at the time of this writing. 

The Bedrock team assured users that the existing funds were safe and committed to unpause staking on uniBTC contracts once the vulnerability was neutralized.

Related: Coinbase-backed Truflation confirms hack, losses estimated to be $5M

Crypto lender Shezmu recently recovered nearly $5 million from a hacker after a successful onchain negotiation. 

Negotiating back stolen funds

After confirming that one of its ShezmuUSD (ShezUSD) stablecoin vaults was exploited, Shezmu proactively urged the hacker to return the funds in exchange for a 10% bounty reward with no legal repercussions.

Source: Shezmu

However, the hacker responded to the request by demanding a 20% bounty reward instead of the initial 10% offer, which Shezmu agreed to.

Shezmu’s team negotiates the return of stolen funds with the hacker. Source: Etherscan

After the blockchain discussion, Shezmu began receiving the stolen Dai (DAI) tokens in its wallet. The hacker initially returned 282.18 Ether (ETH) to the protocol and followed it up with another refund of 137 Wrapped Ether (WETH).

Magazine: Worldcoin fined again! Crypto store clerk runs off with $500K cash: Asia Express