High-profile robberies or hacks are becoming more and more common in the cryptocurrency world, and Qubit Finance is the most recent decentralized financial (DeFi) platform being targeted by hackers. They were able to access Qubit Finance, which is built on the Binance Smart Chain, and steal about $80 million (about Rs 600 crores). Qubit’s QBridge protocol was robbed of 2,06,809 Binance Coin (BNB) by the addresses involved in the heist. This is the largest cryptocurrency heist to date in 2022. Qubit Finance admitted the heist in a tweet. “The team is currently working with security and network partners on next steps. We will share further updates as they become available,” the tweet said.
The protocol was exploited by;
0xd01ae1a708614948b2b5e0b7ab5be6afa01325c7
The hacker minted unlimited xETH to borrow on BSC.
The team is currently working with security and network partners on the next steps.
We will share further updates as they become available.— Qubit Finance (@QubitFin) January 28, 2022
According to security firm PeckShield, the assets were valued at more than $80 million at current rates. PeckShield had checked Qubit’s smart contracts. The security firm also stated that the QBridge was hacked to store a “huge amount of xETH collateral” which was then used to tap the entire amount of Binance Coin on QBridge.
It looks like the QBridge from @QubitFin is hacked to store huge amounts of xETH collateral and drain the pool funds about $80 million. Please note that we audited the Qubit loans, not the QBridge! More to come…
— PeckShield Inc. (@peckshield) January 27, 2022
DeFi platforms like Qubit Finance use smart contracts instead of third parties to provide customers with financial services such as trading, lending and borrowing. Users can deliver their cryptocurrency holdings to the Qubit protocol and borrow money against it for a predetermined amount. QBridge is a cross-chain functionality that allows users to collateralize their assets on other networks without having to move their assets between chains.
The attacker used a deposit option in the QBridge contract to fraudulently generate 77,162 qXETH, which is an asset that represents Ether-bridged over Qubit, according to an “incident analysis” by security firm CertiK. The procedure was misled into assuming that attackers had made a deposit when they hadn’t. CertiK stated that the hacker repeated these acts several times, converting all assets into Binance Coin.
Incident analysis
The hacker called `deposit()` in the QBridge #eth contract without actually making a deposit and broadcasting the deposit event
The exploit was caused by `tokenAddress.safeTransferFrom` in QBridgeHandler.sol not reverting the tx when the tokenAddress is the 0x0. pic.twitter.com/jBpm2W3tUP
— CertiK Security Ranking (@CertiKCommunity) January 28, 2022
The Qubit team has released a statement informing customers that the hacker and their affected assets have been monitored. The blog post also states that they contacted the hacker to provide the “maximum bounty offer” as calculated by their program.
— Qubit Finance (@QubitFin) January 28, 2022
According to data from CoinGecko at the time of writing, Qubit’s QBT fell by 34.6 percent. Much of the fall happened after the robbery came to light.