January 31, 2021
In a new case of cyberattack, Qubit Finance which runs on the Binance Smart Chain was hacked for more than $80 million. This news was confirmed by a Tweet by the Qubit Finance team on Thursday (January 27, 2022), making it the largest DeFi hack of 2022. According to the data by DeFiYield, it is the seventh-largest exploit on record.
Here’s everything we know:
- Qubit Finance, on Thursday, said that the attackers hacked the protocol to take 206,809 Binance Coins (which totals more than $80mn) through Qubit’s QBridge deposit function.
- The QBridge protocol is an Ethereum-BSC (Binance Smart Chain) bridge that enables users to swap ERC-20 and BEP-20 tokens between the two blockchains. Qubit said via Twitter that the hacker had the address ‘0xd01ae1a708614948b2b5e0b7ab5be6afa01325c7’ and minted xETH to borrow on BSC.
- According to the Protocol Exploit Report by Qubit Finance, the attacker “called the QBridge deposit function on the Ethereum network, which calls the deposit function QBridgeHandler. … In summary, the deposit function was a function that should not be used after deposit ETH was newly developed, but it remained in the contract.”
- Qubit also says it is “continuing to track the exploiter and monitor affected assets.” The protocol writes that it has “contacted the exploiter to offer the maximum bounty as set by our program,” and that it is “cooperating with security and network partners, including Binance.” They also posted to Twitter proposing a negotiation with the hackers.
- Qubit Finance is continuing to track the exploiter and monitor affected assets and has disabled a number of account management features until further notice. However, its claiming feature is still available, it said.
- “We are continuing to investigate and are in communications with Binance,” Qubit wrote. “Further updates and a full report will be shared as they become available.”
- Blockchain security company CertiK released a detailed explanation of how the attack occurred and has been tracking the stolen funds as the hackers move them to different accounts.
- “For the non-technical readers, essentially what the attacker did is take advantage of a logical error in Qubit Finance’s code that allowed them to input malicious data and withdraw tokens on Binance Smart Chain when none were deposited on Ethereum,” CertiK explained.
- They further said, “[crypto security] is something we have our eyes on as one of the key trends of 2022 – and the first team to bring a secure, decentralized, and user-friendly cross-chain bridge to market will reap the rewards.”
- Blockchain Asset Review (BAR) spoke with blockchain expert Karthik Iyer last year on DeFi risks. Listen to the podcast here.
About the author
Sharan Kaur Phillora’s thirst for knowledge has led her to study many different subjects, including NFTs and Blockchain technology – two emerging technologies that will change how we interact with each other in the future. When she isn’t exploring a new idea or concept, she enjoys reading literary masterpieces.