Qubit Finance Exploited for $80M

  • The attacker used a deposit option in the QBridge smart contract to create a “huge amount of xETH collateral”, which he used to borrow BNB on the Binance Smart Chain.
  • The Qubit team has contacted the attacker, and offered him the maximum reward it could give if he returns the stolen funds.
hacking

Shutterstock

Binance Smart Chain-based decentralized finance (DeFi) protocol Qubit Finance has suffered a major attack, which saw over $80 million worth of crypto leave the platform, Qubit said on Twitter on 28 January.

According to the announcement, hackers were able to access and steal over $80 million from the project by creating “a huge amount of xETH collateral”, which he then used tp borrow Binance Coin (BNB) tokens on BSC. From the linked address we can see he was able to withdraw 206,809 BNB from Qubit’s QBridge protocol. Qubit’s team is currently working with “security and network partners” to follow the hacker, and work on the next steps.

Security firm CertiK has already issued a report on the case, saying the attacker used a deposit option in the QBridge smart contract to mint 77,162 qXETH — an asset representing bridged ETH through Qubit — fooling the protocol he had deposited money when he hadn’t. These actions were carried out multiple times, allowing him to convert all of his fake assets into BNB.

Qubit has sent a statement to its customers, notifying them that the situation is being monitored, and that the team has contacted the attacker and offered the maximum reward as determined by its program for returning the funds. The team has also disabled a few features — such as supply, redeem, borrow, repay, bridge, and bridge redemption — until further notice, though claiming is still available.

Discussion
Related Coverage
KuCoin Twitter Account Hacked, Exchange to Reimburse Losses
  • The Twitter account of the crypto exchange was compromised for roughly 45 minutes on Monday, resulting in 22 transactions connected to the hack.
  • KuCoin has calculated that the total asset losses were 22,638 USDT, and noted that it will fully reimburse users affected in the incident.
April 24, 2023, 8:59 AM
kucoin

Shutterstock

Exploiter Returns 90% of “Recoverable Funds” to Euler Finance
  • The remaining $31 million worth of crypto assets were returned late on Monday, marking a successful end to Euler Finance’s recovery efforts.
  • The total value of assets returned is a little over $177 million, which is 90% of the “recoverable funds” after adjusting for the 10% bounty previously offered.
Hacker Steals $9M from SafeMoon
  • SafeMoon said that only its SFM:BNB liquidity pool (LP) was affected, and that it had located the suspected exploit, and patched the vulnerability.
  • The bug was allegedly introduced with the latest SafeMoon upgrade, and allowed the attacker to burn the majority of SFM in the pool, artificially inflating its price.