This is a lower bound: only assets with reliable historical USD prices are counted, so the actual loss may be higher.
0xf0464b01d962f714eee9d4392b2494524d0e10ce3eb3723873afd1346b8b06e40xfFadB0bbA4379dFAbFB20CA6823F6EC439429ec2Ethereum0x643d448cea0d3616f0b32e3718f563b164e7edd2Ethereum0x08830038a6097c10f4a814274d5a68e64648d91cEthereum0x649127d0800a8c68290129f091564ad2f1d62de1Ethereum0xe61ad5b0e40c856e6c193120bd3fa28a432911b6EthereumBlueberry accepted a massively undercollateralized borrowing position in Ethereum block 19287289. In transaction 0xf0464b01d962f714eee9d4392b2494524d0e10ce3eb3723873afd1346b8b06e4, an unprivileged attacker used a Balancer flash loan for exactly 1 WETH, supplied that WETH into Blueberry's bWETH market, then borrowed OHM, USDC, and WBTC whose real market value far exceeded the posted collateral.
The root cause is a unit-normalization failure between Blueberry's oracle stack and its Compound-derived Comptroller. Blueberry's oracle returned flat USD prices with 1e18 precision, while the Comptroller liquidity path consumed those prices directly against raw borrow balances for assets with 9, 6, and 8 decimals. That mismatch discounted OHM, USDC, and WBTC debt by 1e9, 1e12, and 1e10 respectively during borrow checks, so the protocol treated an insolvent account as solvent.
Blueberry uses a Compound-style money market architecture. Users supply collateral into bToken markets, enter those markets in the Comptroller, and then borrow other listed assets subject to account-liquidity checks. The relevant contracts in this incident are:
0xfFadB0bbA4379dFAbFB20CA6823F6EC439429ec20x16D43cAC32329ec286Dc14431e0c0E805e6F51740x770d3e22703210c09a573c2043081d97286f415ebWETH at 0x643d448cea0d3616f0b32e3718f563b164e7edd2bOHM, bUSDC, bWBTCThe critical interface boundary is price normalization. Blueberry's verified CoreOracle source exposes plain USD prices and token-value helpers:
function getPrice(address token) external view override returns (uint256) {
return _getPrice(token);
}
function _getTokenValue(address token, uint256 amount) internal view returns (uint256 value) {
uint256 decimals = IERC20MetadataUpgradeable(token).decimals();
value = (_getPrice(token) * amount) / 10 ** decimals;
}
That design is internally coherent for direct USD quoting. The problem is that the same oracle proxy is also wired into a Compound-derived Comptroller path that multiplies raw borrow balances by getUnderlyingPrice during liquidity checks. The validator independently queried the oracle at block 19287289 and confirmed the returned prices were flat 1e18-style values:
bUSDC getUnderlyingPrice = 1000016440000000000
bOHM getUnderlyingPrice = 12774830590457521373
bWBTC getUnderlyingPrice = 51342237060610000000000
bWETH getUnderlyingPrice = 2982380710380000000000
USDC decimals = 6
OHM decimals = 9
WBTC decimals = 8
WETH decimals = 18
Because WETH has 18 decimals, its collateral valuation was roughly correct. The non-18-decimal debts were not.
This is an ATTACK-class incident caused by broken accounting at an integration boundary rather than by privileged access or attacker-private artifacts. Blueberry reused Compound liquidity logic but did not normalize oracle outputs to the units expected by that logic for non-18-decimal assets. The exploit therefore did not require bypassing access control, altering protocol configuration, or interacting with any hidden state.
The violated invariant is straightforward: collateral and liabilities must be valued on the same scale before the Comptroller compares them. Blueberry broke that invariant by feeding flat 1e18 USD prices from CoreOracle into a Comptroller path that consumes raw token balances. For OHM, USDC, and WBTC, the borrow side was therefore understated by the difference between 18 and the token's native decimals.
The technical breakpoint is the liquidity-check path behind borrowAllowed. The seed trace shows each borrow calling into the oracle proxy for getUnderlyingPrice, then proceeding with the borrow rather than reverting. The exploit succeeds because the account remains apparently healthy inside Blueberry's own risk engine even after all three liabilities are booked.
The attacker's helper contract 0x3aa228a80f50763045bdfc45012da124bd0a6809 was called by EOA 0xc0ffeebabe5d496b2dde509f9fa189c25cf29671 in transaction 0xf0464b01d962f714eee9d4392b2494524d0e10ce3eb3723873afd1346b8b06e4. The transaction metadata and full trace show the following sequence:
Vault::flashLoan(..., [WETH], [1000000000000000000])
Comptroller::enterMarkets([bWETH])
BErc20Delegator::mint(1000000000000000000)
BErc20Delegator::borrow(8616071267266) // OHM
BErc20Delegator::borrow(913262603416) // USDC
BErc20Delegator::borrow(686690100) // WBTC
SwapRouter::exactInputSingle(... OHM -> WETH ...)
SwapRouter::exactInputSingle(... WBTC -> WETH ...)
SwapRouter::exactInputSingle(... USDC -> WETH ...)
The trace also shows the oracle path being exercised during each borrow:
0x16D43cAC...::getUnderlyingPrice(bOHM)
CoreOracle::getPrice(OHM)
0x16D43cAC...::getUnderlyingPrice(bUSDC)
CoreOracle::getPrice(USDC)
0x16D43cAC...::getUnderlyingPrice(bWBTC)
CoreOracle::getPrice(WBTC)
On-chain state deltas confirm the resulting position. After the transaction:
9,999,999,999 units of bWETH, which is the minted collateral position created from exactly 1 WETH,bOHM lost 8,616,071,267,266 OHM units,bUSDC lost 913,262,603,416 USDC units,bWBTC debt persisted at 686,690,100 satoshi-denominated units.The decisive evidence is that Blueberry itself still considered the account borrowable after the exploit path. The auditor's oracle and the validator's PoC both check Comptroller.borrowAllowed(..., 1) == 0 after the exploit sequence, meaning the protocol continued to approve additional borrowing despite the position being economically insolvent.
This directly matches the accounting failure: WETH collateral was valued at an appropriate 18-decimal scale, while OHM, USDC, and WBTC liabilities were not. The exploit therefore depended on public protocol behavior and public liquidity only; no private keys, privileged governance access, or attacker-owned protocol components were needed.
The adversary execution was a single-transaction ACT flow:
1 WETH from Balancer Vault 0xBA12222222228d8Ba445958a75a0704d566BF2C8 via a permissionless flash loan.bWETH market and mint collateral using exactly that 1 WETH.8,616,071,267,266 OHM units from bOHM913,262,603,416 USDC units from bUSDC686,690,100 WBTC units from bWBTC1 WETH flash-loan principal inside the same transaction.The balance-diff artifact confirms the economic realization. The WETH/native wrapper address lost roughly 457.684573171942039196 wei-equivalent units, while the attacker-controlled address gained roughly 457.547267799990457388 wei-equivalent units. That is consistent with a highly profitable undercollateralized-borrow extraction after flash-loan repayment and execution costs.
Blueberry suffered protocol-side bad debt because it allowed assets worth far more than 1 WETH to leave the protocol while recognizing the position as adequately collateralized. The losses recorded in the root-cause artifact are:
"8616071267266" with decimal = 9"913262603416" with decimal = 6"686690100" with decimal = 8Those are raw on-chain smallest-unit amounts. They correspond to the assets drained from Blueberry borrow markets and left outstanding against the attacker's position.
0xf0464b01d962f714eee9d4392b2494524d0e10ce3eb3723873afd1346b8b06e40xc0ffeebabe5d496b2dde509f9fa189c25cf296710x3aa228a80f50763045bdfc45012da124bd0a6809artifacts/collector/seed/1/0xf0464b01d962f714eee9d4392b2494524d0e10ce3eb3723873afd1346b8b06e4/trace.cast.logartifacts/collector/seed/1/0xf0464b01d962f714eee9d4392b2494524d0e10ce3eb3723873afd1346b8b06e4/balance_diff.jsonhttps://etherscan.io/address/0xfFadB0bbA4379dFAbFB20CA6823F6EC439429ec2#codehttps://etherscan.io/address/0x770d3e22703210c09a573c2043081d97286f415e#code