DeFi platform Qubit Finance hacked for $80 million


Blockchain & Cryptocurrency, Security Breach Notification, Cryptocurrency Fraud

Incident is the largest DeFi hack of 2022, reportedly the seventh largest on record

Dan Gunderman (dagun127) •
January 28, 2022

Source: vjkombajn_152 Images via Pixabay

In the recent cyberattack on decentralized finance protocols, money market platform Qubit Finance, which runs on Binance Smart Chain, was hacked for more than $80 million, it confirmed via tweet late Thursday. Blockchain security experts say it is the biggest DeFi hack of 2022 and the seventh biggest exploit ever, according to data from DeFiYield.

See also: Live Discussion | The toll of identity sprawl in the complex enterprise

Running on decentralized applications or DApps running open-source software, the DeFi space has been a prime target for cybercriminals in recent months. These DApps, which do not rely on traditional intermediaries, are instead powered by peer-to-peer smart contracts. Almost $77.5 billion is locked on these platforms, according to industry tracker DeFiPulse.

What happened?

In the last case, hackers stole 206,809 Binance Coins, which is currently worth more than $80 million.

Qubit said via Twitter that the alleged hacker has the following address: 0xd01ae1a708614948b2b5e0b7ab5be6afa01325c7, and “minted [or validated] unlimited xETH to borrow from BSC.”

In a Medium post on Friday, Qubit Finance said that the attacker “invoked the QBridge deposit function on the Ethereum network, which calls the QBridgeHandler deposit function. … In summary, the deposit feature was a feature not intended to be used after depositETH was redeveloped but remained in the contract.” A bridge – the target of this exploit – connects two or more blockchains, allowing for interoperability between ledgers.

Qubit also says it “continues to track the exploit and monitor affected assets.” The log writes that it “contacted the exploiter to offer the maximum bounty set by our program” and that it “is working with security and network partners, including Binance.”

Qubit says its deliver, redeem, borrow, redeem, bridge, and redeem bridge features are disabled “until further notice.”

And his note to the attacker, posted on Twitter, it says: “We suggest that you negotiate directly with us before taking any further action. The exploitation and loss of funds has a profound impact on thousands of real people. … Let’s find a solution.”

Qubit Finance did not immediately respond to ISMG’s request for comment on Friday.

Screenshot of Qubit’s Medium post (Credit: Qubit Finance/Medium)

incident analysis

CertiK, a blockchain security firm, says in its analysis provided to ISMG that the illegal activity began at 21:34 UTC on January 27, with the first hackers clearing 77,162 qXETH ($185 million), used to borrow and convert 15,688 wETH ($37.6 million), 767 BTC-B ($28.5 million), about $9.5 million in stablecoins, and about $5 million in other coins. The researchers confirm that the total value lost is $80 million.

“Essentially, the attacker exploited a logic flaw in Qubit Finance’s code that allowed them to enter malicious data and withdraw tokens on Binance Smart Chain when none were deposited on Ethereum,” writes CertiK. “[And] all this despite multiple failovers.”

“The exploit of a cross-chain bridge highlights two things,” say CertiK experts. “First, the importance of cross-chain bridges that facilitate interoperability between blockchains, and second, the importance of the security of these bridges.”

They add: “As we move from an Ethereum-dominated world to a truly multi-chain world, bridges will only become more important. People need to move funds from one blockchain to another, but they need to do it in a way that isn’t vulnerable to hackers, who can steal more than $80 million.”

“The Qubit team did the right thing and had their product vetted prior to deployment, but the fact that it was still compromised underscores the controversial nature of DeFi markets,” says Connie Lam, CertiK Incident Response Team Lead , opposite ISMG. “Each exploit is a lesson for other DeFi platforms, and while painful for those suffering the attack, the system as a whole grows stronger as it evolves to protect against known threats and attempts to unite nefarious actors to be one step ahead.”

Concerns about digital currencies

In a recent CertiK report, the company said that “centralization risks” and other code weaknesses were a major factor in the $1.3 billion in cryptoassets lost to hacks, exploits, and fraud in 2021. Associated losses increased from $500 million in 2020 (see: Report: DeFi undermined by centralization, code bug).

Hacking concerns surrounding crypto platforms were perhaps best illuminated in 2021, when a hacker – infamously known as “Mr. White Hat” — stole more than $600 million from Poly Network. The funds were gradually returned over the following days, although blockchain security experts suspect the hacker had trouble laundering the funds (see: Poly Network says $600 million worth of cryptocurrency was stolen).

Leaders also continue to grapple with the upcoming regulation of cryptocurrency. For some Republicans, tight controls across the industry could stifle innovation. Others, including many Democrats, have backed sweeping regulation of space – citing massive volatility and security risks.

For one, Sen. Elizabeth Warren, D-Mass., was an outspoken crypto critic, citing price volatility and the potential for overnight losses. She voiced these concerns to crypto executives during congressional hearings in 2021.

And Securities and Exchange Commission Chairman Gary Gensler has been a proponent of more aggressive regulation – he said in 2021 that the space was “riddled with fraud, fraud and abuse” (see: SEC to monitor illegal activity on DeFi platforms).

Several members of Congress have promised thorough regulatory proposals for crypto in 2022. And the White House is reportedly considering an executive order to mitigate cryptocurrency risk.

CertiK’s Lam tells ISMG that one of the next key areas of focus for crypto security will be in the form of its interoperability.

“[It’s] something we have our eye on as one of the key trends of 2022 – and the first team to bring to market a secure, decentralized and easy-to-use cross-chain bridge will reap the rewards,” she says.


About Author

Comments are closed.