Hackers stole $80 million from Qubit decentralized finance (DeFi) platform on January 27, according to the company’s statement posted on Medium.
Subsequently, the DeFi platform implored the hackers to return the stolen digital assets, adding that the incident would adversely affect real people in the Qubit community.
Qubit also offered the hackers an opportunity to legally convert the loot into a maximum bug bounty worth $250,000.
Qubit offers a bridge for investors to make deposits in one cryptocurrency and withdraw in another, operating between Ethereum and the Binance Smart Chain (BSC) network.
Hacker deposited 0 ETH on the Qubit DeFi platform and withdrew $80 million
According to blockchain security firm CertiK, the hackers took advantage of a logical error in Qubit Finance’s code. The DeFi platform said the smart contract software bug allowed the hacker to transfer about 206,809 Binance coins worth about $80 million after depositing 0 ETH.
“The attacker called the ‘deposit()’ function in the QBridge contract without any ETH attached in this transaction,” CertiK wrote.
The attacker injected malicious data, and the deposit logic failed to invoke a function to verify the data injected. The report noted that the ‘tokenAddress.safeTransferFrom()’ fails to revert when the ‘tokenAddress’ parameter is zero.
The researchers also discovered two more logical errors that attackers could exploit. One flaw could allow an attacker to deposit ETH and ERC20 tokens using the same event.
Similarly, the safeTransferFrom function does not revert when an externally owned account (EOA) deposits the funds.
CertiK researchers pointed out that the DeFi platform attack taught the crypto community crucial lessons moving forward.
“As we move from an Ethereum-dominant world to a truly multi-chain world, bridges will only become more important,” CertiK wrote. “People need to move funds from one blockchain to another, but they need to do so in ways that are not susceptible to hackers who can steal more than [$80 million].”
DeFi platform working to remedy the situation
Qubit finance said it was tracking the hacker and working with security networks and Binance. Additionally, the DeFi platform disabled the Redeem, Borrow, Repay, Bridge, and Bridge redemption functionalities indefinitely.
The DeFi platform has also identified the attacker’s address and confirmed that the assets were still in the accounts. Qubit opened an opportunity for negotiations imploring the attacker to engage the company for a negotiable maximum bounty offer.
“.. If the maximum bounty offer is not what you are looking for, we are open to have a conversation,” tweeted Qubit Finance.
Later, the company disclosed that the attacker had swapped all the stolen assets into a single ETH wallet. Qubit promised to commit resources to solve the issue and expressed its willingness to compensate the victims.
The latest hack is the seventh-largest attack on a DeFi platform and the largest in 2022, according to DeFiYield. Top DeFi platform attacks include the Compound Labs heist ($89 million), the BadgerDAO exploit ($120.2 million), the Cream Finance flash loan loot ($130 million), the Boy X Highspeed compromise ($139.9 million), the Vulcan Forged access control bypass ($140 million), and the Poly Network exploit ($602.2 million). Binance Smart Chain has also suffered attacks on Venus Finance ($88 million), Uranium Finance ($50 million), and Meerkat Finance ($31 million) since April 2020.
Some hacked DeFi platforms have attempted to appeal to the hacker’s humanity, begging them to return stolen digital assets. However, such attempts have usually yielded limited success, suggesting that Qubit appeals could face the same fate.
Similarly, some DeFi platforms have transformed illegal heists into bounty programs to reduce potential losses and allow criminals to legally withdraw their loot. However, the practice remains legally contentious and is generally perceived negatively.