in ,

Qubit Finance loses $80 million worth of crypto to hackers

Another day, another crypto hack as Qubit Finance, a decentralized finance platform, becomes a victim of digital asset theft. The hackers made off with about $80 million worth of crypto. This is so far the largest haul in 2022.

According to Qubit Finance’s report, the attack took place on January 5th, 5 PM ET. The company acts as a link between multiple blockchains by helping to pass around cryptocurrencies. Its services involve letting users deposit using one crypto and withdrawing in another crypto.

According to crypto security expert Certik, the attackers exploited a security flaw in Qubit’s smart contract code, incredibly allowing them to deposit 0 ETH and withdraw $80 million worth of Binance Coin. “As we move from an Ethereum-dominant world to a truly multi-chain world, bridges will only become more important. People need to move funds from one blockchain to another, but they need to do so in ways that are not susceptible to hackers who can steal more than [$80 million].”

Meanwhile, Qubit has taken to Twitter to appeal to the attacker, trying to persuade them to negotiate to avoid losses to the Qubit crypto community. Whether the plea will work remains to be seen.

Qubit says it is monitoring the hackers and the affected assets and cooperating with its security partners.

Attacks on decentralized finance companies have been on the rise, with Meerkat Finance in March 2021 losing $31 million to a hack, while $50 million was stolen from Uranium Finance. Venus finance also lost $88 million to a hack last May.

Here is Qubit’s incident report, obtained from their Medium blog:

The Qubit protocol was subject to an exploit to our QBridge deposit function.

This report includes an analysis of the attack in its entirety in order to ascertain the nature of the exploit and, to prevent any similar exploits in the future.

Incident Timeline

1. Jan-27–2022 09:18:55 PM +UTC: 0.8887725 ETH sent from tornado to attacker account

2. Jan-27–2022 09:34:01 PM +UTC~Jan-27–2022 09:50:41 PM +UTC : Sent 16 deposit tx to QBridge of Ethereum

3. Jan-27–2022 09:36:32 PM +UTC~Jan-27–2022 09:51:02 PM +UTC : Sent 16 voteProposal tx to QBridge contract of BSC by Qubit Relayer

4. A number of xETH tokens were minted by 16 voteProposal tx, and liquidity in Qubit was withdrawn using this as collateral

Exploit Method

The attacker called the QBridge deposit function on the ethereum network, which calls the deposit function QBridgeHandler.

QBridgeHandler should receive the WETH token, which is the original tokenAddress, and if the person who performed the tx does not have a WETH token, the transfer should not occur.

tokenAddress.safeTransferFrom(depositer, address(this), amount);

In the code above, tokenAddress is 0, so safeTransferFrom didn’t fail and the deposit function ended normally regardless of the amount value.

Additionally, tokenAddress was the WETH address before depositETH was added, but as depositETH is added, it is replaced with the zero address that is the tokenAddress of ETH.

In summary, the deposit function was a function that should not be used after depositETH was newly developed, but it remained in the contract.

Actions taken

1. The team is continuing to track the exploiter and monitor affected assets.

2. The team has contacted the exploiter to offer the maximum bounty as set by our program.

3. The team is cooperating with security and network partners, including Binance.

4. Supply, Redeem, Borrow, Repay, Bridge, and Bridge redemption functions are disabled until further notice. Claiming is available.

We want to thank all the individuals, security partners, and projects who reached out and helped with information. We are continuing to investigate and are in communications with Binance. Further updates and a full report will be shared as they become available.

Written by HackerVibes

This company just said it would partially stop selling your precise location data

Apple now supports unlisted apps in its store; Google adds confirmation before closing all tabs on Chrome mobile