In a surprising twist, Bedrock, a crypto liquid restaking protocol, extended a job offer to the hacker who exploited a vulnerability in its system, resulting in a $2 million theft. Rather than pursuing legal action, the protocol hopes to collaborate with the attacker to enhance its security and recover the stolen assets.
The $2 Million Exploit
On September 26, Web3 security firm Dedaub identified a critical flaw in several uniBTC vaults linked to Bedrock. Despite notifying Bedrock about the vulnerability, the protocol failed to respond in time, allowing the hacker to exploit the bug. Dedaub reported that while the hacker managed to steal $2 million, they had access to as much as $75 million from the compromised vaults.
Bedrock acknowledged the breach on September 27, assuring users that the protocol was devising a reimbursement plan to compensate for the losses. In response, they are collaborating with audit teams and ethical hackers to recover the stolen funds and strengthen security measures.
A New Approach to Recovery
In a bid to recover the stolen assets, Bedrock took an unconventional route, reaching out to the hacker via an on-chain message. The team invited the attacker to switch sides, offering them a white hat role to help secure the protocol. Bedrock’s message, visible on the Ethereum blockchain through Etherscan, read:
“We would like to communicate with you, inviting you to become a white hat for the recent incident. Would you be interested in working with us and making the protocol more secure?”
In addition to the job offer, Bedrock proposed a reward for the hacker’s actions in exploiting the uniBTC vaults. As of now, the hacker has not responded to the offer. Bedrock has reassured users that the remaining funds are safe and intends to resume staking operations once the vulnerability has been fully addressed.
Precedent for Negotiating with Hackers
This isn’t the first time a crypto protocol has taken a diplomatic approach to dealing with hackers. Crypto lender Shezmu recently recovered nearly $5 million in stolen assets after successful negotiations with the attacker. After confirming an exploit in one of its ShezmuUSD stablecoin vaults, the protocol offered the hacker a 10% bounty with no legal consequences. The hacker countered, demanding a 20% bounty, which Shezmu accepted. Following this agreement, the hacker returned the stolen assets in increments.
