Ранним утром 28 января команда проекта Qubit Finance опубликовала заявление в твиттере, сообщив о том, что некий злоумышленник использовал уязвимость в протоколе, чтобы выпустить неограниченное количество токенов. Другие подробности взлома на момент публикации отсутствуют.
«Протокол был взломан; [адрес кошелька]. Хакер выпустил бесконечное количество xETH и взял под них кредит на BSC. В настоящее время команда разрабатывает план действий совместно со специалистами по безопасности».
Qubit потерял $80 млн
Компания PeckShield, занимающаяся безопасностью блокчейна и аудитом смарт-контрактов, подтвердила эксплойт, заявив:
«Похоже, что QBridge @QubitFin взломали, выпустили огромное количество xETH, использовали их в качестве залога и забрали из пула токены на сумму около $80 млн.
Ethereum-BSC bridge of Qubit Finance suffered a hack to the tune of $80 million in the largest DeFi exploit of 2022. Hackers exploited the “deposit” function to steal cryptocurrencies from Qubit Finance.
Qubit Finance suffers largest DeFi hack of 2022
Qubit Finance, a decentralized lending and borrowing platform, was hacked for $80 million. The bridge collapsed in the largest DeFi hack of 2022.
The money market platform connects lenders and borrowers efficiently and securely.
It works like how a normal bank works, by having lenders who can deposit assets to lend out to others and borrowers who can borrow these assets. Qubit Finance uses smart contracts rather than third parties to provide customers with financial services such as trading, lending, and borrowing. QBridge is a cross-chain functionality that allows users to collateralize their assets on other networks without having to move their assets between chains.
How did it get hacked?
According to an “incident analysis” by security firm CertiK, the attacker used a deposit option in the QBridge contract to illegally generate 77,162 qXETH, which is an asset representing Ether bridged over Qubit.
The procedure was tampered with to make it appear as if the attackers had made a deposit when they hadn’t.
On the 27th of January 2022, Qubit Finance tweeted about the biggest DeFi (Decentralized Finance) exploits of 2022 which resulted in them losing $80 million dollars of cryptocurrency in the form of 206,809 Binance coins.
What is Qubit Finance?
Qubit is a decentralized money market platform that takes advantage of the speed, automation, and security of the blockchain to connect lenders and borrowers efficiently and securely.
Kim Grauer, told ZDNet. “We also know that criminals are the first to adapt to new technology to avoid discovery, and this year was no exception.” This statement explains why DeFi technologies have been the target of so many assaults.
As explained the hacker was able to exploit a logic error made by Qubit’s Team and to tackle that I believe they should have added more layers of security as adding a second layer multiplies the original complexity of the problem and makes it way less likely for hackers to be able to exploit them.
Lastly, I believe that this incident signifies how important cybersecurity is.
How are they solving the problem?
Qubit Finance Team publicly tweeted that they are offering the hackers a generous bounty worth $2 million without prosecution if the attackers return all the stolen money though as of right now the hackers have not responded.
PeckShield, which audited Qubit’s smart contracts, said the QBridge was hacked to mint a “huge amount of xETH collateral” that was then used to drain the entire amount of BNB held on QBridge.
In an incident report, security firm CertiK said the attacker used a deposit function in the QBridge contract and illicitly minted 77,162 qXETH, an asset that represents ether bridged via Qubit. Attackers tricked the protocol to show that they had deposited funds without making an actual deposit.
These steps were repeated several times, and the attacker then converted all the assets to BNB, CertiK said in a tweet.
The exploit is the seventh-largest attack on a DeFi protocol by the amount of funds stolen, as per data from analytics tool DeFi Yield.
Qubit’s QBT is down 25% in the past 24 hours, as per data from CoinGecko.
Binance Smart Chain-based Qubit Finance was exploited for over $80 million by attackers on Friday morning, developers confirmed in a post.
“The hacker minted unlimited xETH to borrow on BSC. The team is currently working with security and network partners on next steps,” developers said in a tweet.
Addresses connected to the attack show 206,809 binance coins (BNB) were drained from Qubit’s QBridge protocol. The assets are worth over $80 million at current prices, security firm PeckShield confirmed in a tweet.
Decentralized finance (DeFi) projects like Qubit Finance rely on smart contracts instead of third parties to offer financial services, such as trading, lending, and borrowing, to users.
Qubit allows users to supply their crypto holdings to the protocol and borrow loans against this collateral for a fixed fee.
” We propose you negotiate directly with us before taking any further action. The exploit and loss of funds have a profound effect on thousands of real people. If the maximum bounty offer is not what you are looking for, we are open to have a conversation.
Let’s figure out a situation,” the Qubit Finance Team wrote.
The company later explained in a blog post that their Qubit protocol “was subject to an exploit to our QBridge deposit function.”
“The attacker called the QBridge deposit function on the ethereum network, which calls the deposit function QBridgeHandler. QBridgeHandler should receive the WETH token, which is the original tokenAddress, and if the person who performed the tx does not have a WETH token, the transfer should not occur,” the company explained.
Qubit’s Ethereum-BSC bridge connects the two blockchains in a way that users deposit ERC-20 tokens and receive BEP-20 in return. The bridge was targeted by attackers, exploiting the “deposit” contract.
Attackers input malicious data in the bridge’s infrastructure and withdraw tokens on the Binance Smart Chain. The attacker’s address still holds $80 million in BSC tokens.
An official report by the Qubit team reads:
In summary, the deposit function was a function that should not be used after deposit ETH was newly developed, but it remained in the contract.
The team at Qubit Finance is still monitoring the address and network partners, including Binance.
Ethereum QBridge зафиксировал событие депозита и выпустил для хакера $qXETH на блокчейне BSC.
«QBridge обрабатывает событие депозита как пополнение #ETH, потому что методы „deposit“ и „depositETH“ в контракте QBridge вызывают одно и то же событие».
Хакер повторил процедуру несколько раз, увеличив добычу почти до $80 млн. Таким образом, по данным DeFiYield, этот взлом стал седьмым по величине в сегменте децентрализованных финансов.
Токен проекта обрушился
Qubit Finance — это DeFi-протокола кредитования, оптимизированный для предоставления кредитов в сети Binance Smart Chain.
Binance. Supply, Redeem, Borrow, Repay, Bridge, and Bridge redemption functions are disabled until further notice. Claiming is available. We are continuing to investigate and are in communications with Binance.”
Blockchain security company CertiK released a detailed explanation of how the attack occurred and has been tracking the stolen funds as the hackers move them to different accounts.
“For the non-technical readers, essentially what the attacker did is take advantage of a logical error in Qubit Finance’s code that allowed them to input malicious data and withdraw tokens on Binance Smart Chain when none were deposited on Ethereum,” CertiK explained.
DeFiYield keeps a running list of attacks on DeFi platforms, ranking the attack on Qubit as the seventh largest after Compound Labs, BadgerDAO, Cream Finance, Boy X Highspeed, Vulcan Forged, and Poly Network.
According to CertiK, the hacker carried out these actions numerous times, changing all of the funds to Binance Coin in the process.
“Essentially, the attacker took advantage of a logical mistake in Qubit Finance’s code that enabled them to insert fraudulent data and withdraw tokens on Binance Smart Chain while none were placed on Ethereum,” CertiK revealed. Qubit’s QBT was down 34.6 percent at the time of writing, according to CoinGecko statistics.