Qubit DeFi platform hack resulted in $80 million of crypto stolen

Hackers exploited the flaw in the smart contract code used in Ethereum bridge to steal close to a hundred million

Attackers exploited the function on the networkHackers managed to exploit the flaw in the deposit function and obtain $80 million worth of crypto. Company tries to pay and get those funds back

Qubit Finance announced the hack that resulted in $80 million stolen cryptocurrency last week. The hack affected thousands of real customers, and the company begged hackers to return stolen funds.[1] Qubit Finance, the decentralized finance – DeFi[2] platform became victim of the high-value theft. Attackers managed to steal a large amount of cryptocurrency, making this hack the largest hack of 2022 already.[3] Even though the hack a few weeks back has hit Crypto.com platform.

The company acknowledged the Qubit Finance incident:

The exploit and loss of funds have a profound effect on thousands of real people

The protocol was exploited by the attacker that managed to obtain 206.809 finance coins from Qubit's QBridge protocol. This piece of cryptocurrency is worth up to $80 million.[4] The announcement also comes with insurance that the company tracked the hacker and monitored the stolen funds.

The exploitation of the QBridge deposit function

These criminals who managed to steal funds from the platform exploited the particular security flaw in the Qbridge deposit function on the ethereum network. This QBridgeHandler receives the WETH token that is the original token address, and if the person who performed the tx does not have the WETH token the transfer is not possible.

The function was not supposed to be used after the depositETH and was newly developed. It remained smart contracts, however. Various network partners are now working on this issue, and security issues are going to be solved here. The Bridge redemption function should be disabled until further notice.

The attacker took advantage of the logical error in the code and managed to input the malicious data, withdraw tokens on Binance Smart Chain when none of the funds were deposited on Ethrereum. Meaning that hackers deposited 0 ETH and withdrew almost $80 million in Binance Coin in exchange. Since the launch of this Binance Smart Chain in 2020, many DeFi projects got hacked, and this particular incident is one of the larger ones coming just $8 million shy from Venus Finance hack.[5]

The company offered the maximum bug bounty for the return of funds

The company stated that this was a huge hit and a major loss. They noted that the attempt to contact attackers was made. The report stated that officials tried to offer them a maximum bug bounty amount in exchange for the return of obtained funds. DeFi platforms that have been hacked before tried this method of a way out of the hack before.[6]

The sum offered was $250,000, and the negotiations were initiated. Qubit Finance was asking to have a conversation with hackers because thousands of users got affected by this incident. Since the sum stolen is significantly bigger, these hackers are less likely going to communicate and negotiate any solutions here.

Hackers are mainly concerned about their profit and financial gains. Even when the more dangerous threats get released on systems and networks belonging to companies or everyday users, paying those demands and contacting criminals is never recommended. Ransomware – the biggest threat of the cybersecurity world becomes more and more advanced, affecting many fields and sectors. Criminals become greedy, so hacks, breaches, infections should always be taken seriously.

About the author
Ugnius Kiguolis
Ugnius Kiguolis - The mastermind

Ugnius Kiguolis is a professional malware analyst who is also the founder and the owner of 2-Spyware. At the moment, he takes over as Editor-in-chief.

Contact Ugnius Kiguolis
About the company Esolutions

References
Files
Software
Compare