$79 845 000 USD

JANUARY 2022

GLOBAL

QUBIT FINANCE

DESCRIPTION OF EVENTS

"Qubit is a decentralized money market platform that takes advantage of the speed, automation, and security of the blockchain to connect lenders and borrowers efficiently and securely."

 

"Users of Qubit Finance can participate as lenders and borrowers. Lender: As a liquidity provider, lenders can deposit assets to lend out to others. Liquidity providers will earn interest on their deposited assets. Borrower: A borrower can deposit assets as collateral and borrow assets in return."

 

"At Qubit, we are committed to making money markets a secure commodity for the entire BSC Ecosystem. Consequently, Qubit does not charge the withdrawal fees that have hindered the innovative applications of more sophisticated leveraged strategies on the BSC."

 

"Qubit is also explicitly committed to furthering ecosystem security on the BSC. Qubit does this in two ways. First, Qubit does not support flash loans, which eliminates from the platform one of the greatest sources of insecurity in the entire ecosystem."

 

"Second, Team Qubit will fully support vertically integrated code review and full-stack audits for all whitelisted projects that build on the Qubit platform. This represents a significant but necessary ecosystem investment by Qubit in order to eliminate the vulnerabilities that were injected into the BSC ecosystem by the uncoordinated migrations that interrupted and disrupted many projects this past May."

 

"At 9:34PM UTC on January 27th, 2022, an attacker began their exploit of Qubit Finance’s Ethereum-BSC bridge." "The attacker called the QBridge deposit function on the ethereum network, which calls the deposit function QBridgeHandler. QBridgeHandler should receive the WETH token, which is the original tokenAddress, and if the person who performed the tx does not have a WETH token, the transfer should not occur," the company explained.

 

"In summary, the deposit function was a function that should not be used after depositETH was newly developed, but it remained in the contract. The team is cooperating with security and network partners, including Binance. Supply, Redeem, Borrow, Repay, Bridge, and Bridge redemption functions are disabled until further notice. Claiming is available. We are continuing to investigate and are in communications with Binance."

 

"Blockchain security and data analytics company PeckShield has revealed that the reason for the hack is to create an immense amount of xETH (xplosive Ethereum) collateral. xETH provides a wallet service for secret transactions and brings more privacy to ETH payments. The hackers have created the scheme to drain the whole BNB stored on QBridge."

 

"Moreover, CertiK, a blockchain security firm, pointed out that the deposit option in QBridge was prone to hackers with which they illegally minted 77,162 qXETH assets in Qubit. Rekt database informed that hackers have used such fraudulent activities several times to convert all the hacked assets to BNB, making it the seventh-largest exploit in DeFi."

 

"According to blockchain security firm CertiK, the hackers took advantage of a logical error in Qubit Finance’s code. The DeFi platform said the smart contract software bug allowed the hacker to transfer about 206,809 Binance coins worth about $80 million after depositing 0 ETH."

 

"This exploit ended up netting them 77,162 qXETH ($185 million), which they then used to borrow and convert 15,688 wETH ($37.6 million), 767 BTC-B ($28.5 million), approximately $9.5 million in various stablecoins, and ~$5 million in CAKE, BUNNY, and MDX."

 

"“The attacker called the ‘deposit()’ function in the QBridge contract without any ETH attached in this transaction,” CertiK wrote."

 

"The attacker injected malicious data, and the deposit logic failed to invoke a function to verify the data injected. The report noted that the ‘tokenAddress.safeTransferFrom()’ fails to revert when the ‘tokenAddress’ parameter is zero."

 

"The researchers also discovered two more logical errors that attackers could exploit. One flaw could allow an attacker to deposit ETH and ERC20 tokens using the same event."

 

"In a conversation today, Tal Be’ery, CTO at cryptocurrency wallet app ZenGo, has also pointed out that Qubit’s hack is part of a larger trend in the cryptocurrency industry."

 

“Recently a few bridge projects were hacked: Polychain MATIC, Multichain and now Qubit,” Be’ery said.

 

“Bridge projects, ‘moving’ tokens and coins from one blockchain to another, seem to be more vulnerable to attacks as they don’t move the tokens themselves, but instead use a deposit function to exchange the coin to some internal representation, and do their internal cross-chain accounting with this representation,” he added.

 

“If there is an error there, the attacker can ‘print’ money in the internal representation and then withdraw it for ‘real’ money,” Be’ery said, explaining the base mechanism behind the hacker’s exploit and how they managed to steal Qubit’s funds.

 

"Qubit finance said it was tracking the hacker and working with security networks and Binance. Additionally, the DeFi platform disabled the Redeem, Borrow, Repay, Bridge, and Bridge redemption functionalities indefinitely."

 

"The DeFi platform has also identified the attacker’s address and confirmed that the assets were still in the accounts. Qubit opened an opportunity for negotiations imploring the attacker to engage the company for a negotiable maximum bounty offer."

 

"Later, the company disclosed that the attacker had swapped all the stolen assets into a single ETH wallet. Qubit promised to commit resources to solve the issue and expressed its willingness to compensate the victims."

 

"Qubit has asked the hacker to return the funds, so far to no avail." "As of the time of publication, the attacker’s address still holds approximately $80 million of stolen assets."

 

"Lastly, our willingness to compensate. As early innovators in the DeFi space, our goal is to continue our work. In light of this event, we are committed to developing a means to compensate members of the community who have been affected by this attack."

Qubit Finance is a decentralized lending platform. Late on January 27th, an attacker brought funds from tornadocash and used them to exploit the smart contract hot wallet, creating a fake deposit and then withdrawing 206,809 Binance coins from the hot wallet. The platform has pledge to continue tracking the funds, and so far the attacker has not made an effort to move them from their wallet. However, given that their source of funds came from TornadoCash, it's unlikely they could be identified unless they attempt to cash out the funds without going through TornadoCash again. A bounty was offered but the attacker has not yet responded.

Sources And Further Reading

 For questions or enquiries, email info@quadrigainitiative.com.

Get Social

  • email
  • reddit
  • telegram
  • Twitter

© 2021 Quadriga Initiative. Your use of this site/service accepts the Terms of Use and Privacy Policy. This site is not associated with Ernst & Young, Miller Thompson, or the Official Committee of Affected Users. Hosted in Canada by HosterBox.