Qubit Finance Suffers $80 Million Loss in Protocol Exploit

Decentralised lending platform Qubit Finance has suffered an exploit of its smart contract governing deposits on the Ethereum-Binance Smart Chain (BSC) bridge, losing 206,809 Binance Coin (BNB) in the biggest hack of the year so far.

Qubit’s losses were estimated at US$80 million on January 27, according to security firm PeckShield. According to Qubit’s own exploit report, the hacker(s) took advantage of a logical error in the code which allowed them to maliciously withdraw tokens from the Binance Smart Chain bridge without depositing Ethereum (ETH).

Even though the contract had zero ETH deposited into it, the attacker’s address had access to 77,162 qXETH (worth US$185 million) to use as collateral against loans on Qubit.

Funds Still Sitting in Hacker’s Wallet

According to the breakdown posted by CertiK, the funds were then used to borrow “15,688 wETH ($US37.6 million), 767 BTC-B ($US28.5 million), approximately $US9.5 million in various stablecoins, and $US5 million in CAKE, BUNNY, and MDX”. Thereafter, the funds were converted to just over 200,000 BNB, which is still sitting in the hacker’s wallet.

In summary, the deposit function was a function that should not [have been] used after depositETH was newly developed, but it remained in the contract. The team is cooperating with security and network partners, including Binance. Supply, Redeem, Borrow, Repay, Bridge, and Bridge redemption functions are disabled until further notice. Claiming is available. We are continuing to investigate and are in communications with Binance.

Qubit Finance report

Qubit Negotiates for Stolen Funds

Following the incident, the Qubit team tried to contact the hackers to offer a bug bounty of $US250,000 on ImmuniFi, but are also still prepared to negotiate:

As chains and protocols utilise the multi-chain environment, bridges will only become more important. People need to move funds from one blockchain to another, but they need to do so in ways that are not susceptible to hackers. In December, MonoX was also hacked for an estimated US$31 million.