Fuzzland has compensated Bedrock and launched joint investigations after internal compromise
Smart contract security firm Fuzzland has disclosed that a former employee orchestrated the $2 million exploit on Bedrock’s UniBTC protocol in September 2024, leveraging insider access and sophisticated malware techniques.
— 𝕗𝕦𝕫𝕫𝕝𝕒𝕟𝕕 (@fuzzland_) June 23, 2025
In a newly released transparency report, Fuzzland revealed that the ex-employee used a combination of social engineering, supply chain compromise, and advanced persistent threats (APT) to gain unauthorized access to internal systems and sensitive data.
Exploit Originated From Insider Access and Backdoor Implant
The attacker reportedly inserted malicious code into engineering workstations, creating backdoors that went undetected for weeks. The breach allowed the insider to act on a previously identified vulnerability in the UniBTC protocol, first flagged in a report by security firm Dedaub.
Although Fuzzland had initially detected the vulnerability, it was misclassified as a false positive and deprioritized, allowing the exploit to occur during a period of internal incident response.
Fuzzland Compensates Bedrock and Engages Authorities
Following the breach, Fuzzland stated it has fully compensated Bedrock for the $2 million loss and launched a joint investigation with security firm ZeroShadow. The company has also filed reports with Chinese authorities and the FBI, and is collaborating with industry security partners Seal 911 and SlowMist to strengthen best practices.
Fuzzland emphasized that no client or customer data was affected, as the compromise was isolated to a separate internal environment.
Bedrock TVL Doubles Despite Exploit
Bedrock, a multi-asset liquid restaking platform, offers synthetic assets like UniBTC, UniETH, and UnilOTX, which allow users to earn staking yields. Despite the September exploit, Bedrock’s total value locked (TVL) has grown significantly — from $240 million in September 2024 to $535 million by June 2025, according to DefiLlama.
$2.1 Billion Lost to Crypto Hacks in 2025 So Far
Fuzzland’s disclosure comes amid a surge in social engineering-based crypto attacks. On June 4, blockchain security firm CertiK reported that over $2.1 billion has already been stolen in crypto-related incidents in 2025, with phishing and wallet compromises now outpacing traditional smart contract vulnerabilities.
CertiK co-founder Ronghui Gu noted that this shift signals an evolving threat landscape, where hackers prioritize human error over code exploits.
Outlook
While the Fuzzland-Bedrock case highlights the dangers of insider threats, it also underscores the importance of incident transparency and rapid compensation in restoring market confidence. With security firms and law enforcement now actively investigating, the case could become a landmark example of insider risk management in the Web3 space.
