Qubit Finance gets $80 million in crypto stolen and offers hacker $250,000 bounty in exchange for stolen funds

Home » Economy » Qubit Finance gets $80 million in crypto stolen and offers hacker $250,000 bounty in exchange for stolen funds February 1, 2022

DeFI platform Qubit Finance has announced that its protocol has been exploited by a hacker. He ended up stealing 206,809 Binance tokens from Qubit’s QBridge protocol, worth more than $80 million at the time of the incident. DeFiYield maintains a list of attacks on DeFi platforms, which ranks the attack on Qubit as the seventh largest after Compound Labs ($89 million loss), BadgerDAO ($120 million loss), Cream Finance ($130 million loss), Boy X Highspeed ($139 million loss), Vulcan Forged ($140 million loss), and Poly Network ($602 million loss). This list does not include attacks on Grim Finance and AscendEX.

Qubit Bridge is an Ethereum-connected cross-chain bridge that allows users to move WETH from the Ethereum mainnet to Qubit smart contracts based on the Binance Smart Chain (BSC). They can in this way hit (mint) of xETH which are used in particular as loan collateral on the protocol. Smart contracts are computer protocols that facilitate, verify, and enforce the negotiation or performance of a contract, or that render a contractual term unnecessary (because it attaches to the smart contract). Smart contracts usually have a user interface and emulate the logic of contract terms.

On Thursday, a hacker exploited a vulnerability in the Qubit Bridge to mint xETH without depositing any WETH. Using xETH as collateral, the hacker siphoned off 206,809 BNB from Qubit Finance, or $80 million at the time. Since all of this loot was visible at the hacker’s address, the Qubit team offered the hacker a $250,000 bounty in exchange for the stolen funds.

Looks like @QubitFin’s QBridge was hacked to create a lot of xETH collateral and drain $80m from mutual funds, tweeted PeckShield who claimed to have audited lending provider Qubit, not QBridge. A news that was later confirmed on Twitter by the loan provider.

The attack address was identified as: 0xd01ae1a708614948b2b5e0b7ab5be6afa01325c7. The stolen assets were replaced with 206,809.69 BNB. The Qubit team tweeted that it continues to “monitor the exploiter and monitor the affected assets”. At the same time, Qubit offered to pay the pirate $250,000 in exchange for the retrocession of the sums stolen:

We suggest that you negotiate directly with us before taking any further action. The exploitation and loss of funds has a profound effect on thousands of real people. If the maximum premium isn’t what you’re looking for, we’re open for a conversation. Let’s try to find a solution , wrote the financial team of Qubit who shared the exchanges on Twitter.

In a blog post, the company explained that its Qubit protocol was exploited on the QBridge deposit feature:

The attacker called the QBridge deposit function on the Ethereum network, which calls the QBridgeHandler deposit function. QBridgeHandler should receive the WETH token, which is the original tokenAddress, and if the person who made the tx does not have a WETH token, the transfer should not take place

tokenAddress.safeTransferFrom(depositer, address(this), amount) In the code above, tokenAddress is 0, so safeTransferFrom did not fail and the deposit function terminated normally regardless of the value of the amount.

Also, tokenAddress was the WETH address before DepositETH was added, but when DepositETH is added, it is replaced with address zero which is the tokenAddress of ETH.

In summary, the deposit function is a function that should not have been used after the new development of depositETH, but remained in the contract.

The company said it has taken action, including:

• The team continues to follow the exploiter and monitor the affected assets.
• The team contacted the exploiter to offer the maximum premium set by our program.
• The team cooperates with security and network partners, including Binance.
• Funding, swapping, borrowing, redeeming, relaying and relaying redemption functions are disabled until further notice. The claim is available.

We would like to thank all the people, security partners and projects who have reached out and helped with information. We continue to investigate and are in communication with Binance. Further updates and a full report will be shared as they become available.

For the moment, no information concerning the outcome of the negotiations between Qubit Finance and the hacker has filtered. The protocol team also hasn’t said whether it intends to refund or compensate users for funds lost to the hack.

Blockchain security firm CertiK has released a detailed explanation of how the attack happened. It tracks stolen funds as hackers move them to different accounts.

The seventh largest hack in terms of loss

According to data from DeFi Yield, the Qubit Finance exploit appears to be the seventh largest hack in the DeFi protocol by value of stolen funds. This caused a 27% drop in Qubit, its native token. Since the Binance Smart Chain launched in September 2020, the network has become infamous for the amount of hacks, exploits, and rug pulls that have taken place on it.

In 2021, several DeFi projects on BSC suffered major hacks or exploits. Some of the most serious include the $31 million Meerkat Finance hack in March 2021, a Uranium Finance exploit that cost protocol users $50 million in April, and the $88 million attack on Venus. Finance the following month.

The trading route taken by Qubit Finance is not a first: it had already been taken a few months ago by Poly Networks.

Poly Network is a decentralized finance (DeFi) platform that allows tokens to be exchanged between different blockchains. The founder of Chinese blockchain project Neo launched Poly Network in partnership with Ontology and Switcheo. The platform was subject to an attack in which hackers exfiltrated more than $600 million in cryptocurrencies. The hack involved $270 million in Ether, $250 million on Binance’s Smart Chain, $84 million on the Polygon Network, plus a handful of other smaller volume tokens, like Tether, Shiba Inu and Matic.

Experts have called the robbery the biggest decentralized finance heist in history. Poly Network had immediately sent a message to the hackers behind the attack asking them to return the stolen money, taking the trouble to specify that they would be prosecuted otherwise.

The company said the hacker started by returning the funds, the company offered to pay him a bug bounty of $500,000 as well as a job within its structure as Chief Security Advisor.

In a statement, the company thanked the hacker (whom it dubbed white hat, industry jargon for an ethical hacker who typically aims to expose cyber vulnerabilities) who returned the bulk of the funds for helping us improve the security of PolyNetwork. Poly Network also said it hopes Mr. White Hat will contribute to the continued development of the blockchain industry by accepting the $500,000 reward, which he offered as part of the negotiations around the return of the tokens. The statement did not specify in what form the company would pay the $500,000.

For his part, the hacker said: “I’m really sorry that my crazy adventure has impacted innocent people. I tried not to make too many waves in the crypto world, not to touch shitcoins (note: cryptocurrencies that have little value), not to keep the money for myself and not to dump. But even the Avengers are plagued with complaints from civilians. I’m seriously considering accepting the Poly Network reward and starting a compensation fund for the victims, even though it’s hard to find that you lost your money because of me and not because of risky bets. [] .

Sources : Qubit Finance (1, 2), PeckShield, CertiK (1, 2), DeFiYield

And you ?

How do you read it?