Qubit Finance Has Been Hacked And Stolen $80 Million

On January 28, attackers stole more than $80 million from Binance Smart Chain-based Qubit Finance.

Qubit Finance announced this attack on its official Twitter.

https://twitter.com/QubitFin/status/1486870238591594497

Addresses connected with the attack indicate that 206,809 BNB were stolen from Qubit’s QBridge protocol. According to security firm PeckShield, the stolen assets are worth more than $80 million.

https://twitter.com/peckshield/status/1486841239450255362

Incident Timeline

  • Jan-27–2022 09:18:55 PM +UTC: 0.8887725 ETH sent from tornado to attacker account
  • Jan-27–2022 09:34:01 PM +UTC~Jan-27–2022 09:50:41 PM +UTC: Sent 16 deposit tx to QBridge of Ethereum
  • Jan-27–2022 09:36:32 PM +UTC~Jan-27–2022 09:51:02 PM +UTC: Sent 16 voteProposal tx to QBridge contract of BSC by Qubit Relayer
  • A number of xETH tokens were minted by 16 voteProposal tx, and liquidity in Qubit was withdrawn using this as collateral

Exploit Method

The attacker called the QBridge deposit function on the ethereum network, which calls the deposit function QBridgeHandler.

QBridgeHandler should receive the WETH token, which is the original tokenAddress, and if the person who performed the tx does not have a WETH token, the transfer should not occur.

tokenAddress.safeTransferFrom(depositer, address(this), amount);

In the code above, tokenAddress is 0, so safeTransferFrom didn’t fail and the deposit function ended normally regardless of the amount value.

Additionally, tokenAddress was the WETH address before depositETH was added, but as depositETH is added, it is replaced with the zero address that is the tokenAddress of ETH.

In summary, the deposit function was a function that should not be used after depositETH was newly developed, but it remained in the contract.

Actions taken

  • The team is continuing to track the exploiter and monitor affected assets.
  • The team has contacted the exploiter to offer the maximum bounty as set by our program.
  • The team is cooperating with security and network partners, including Binance.
  • Supply, Redeem, Borrow, Repay, Bridge, and Bridge redemption functions are disabled until further notice. Claiming is available.

DISCLAIMER: The Information on this website is provided as general market commentary and does not constitute investment advice. We encourage you to do your own research before investing.

Join CoinCu Telegram to keep track of news: https://t.me/coincunews

Follow CoinCu Youtube Channel | Follow CoinCu Facebook page

Hazel

CoinCu News

Qubit Finance Qubit Finance Qubit Finance

Qubit Finance Has Been Hacked And Stolen $80 Million

On January 28, attackers stole more than $80 million from Binance Smart Chain-based Qubit Finance.

Qubit Finance announced this attack on its official Twitter.

https://twitter.com/QubitFin/status/1486870238591594497

Addresses connected with the attack indicate that 206,809 BNB were stolen from Qubit’s QBridge protocol. According to security firm PeckShield, the stolen assets are worth more than $80 million.

https://twitter.com/peckshield/status/1486841239450255362

Incident Timeline

  • Jan-27–2022 09:18:55 PM +UTC: 0.8887725 ETH sent from tornado to attacker account
  • Jan-27–2022 09:34:01 PM +UTC~Jan-27–2022 09:50:41 PM +UTC: Sent 16 deposit tx to QBridge of Ethereum
  • Jan-27–2022 09:36:32 PM +UTC~Jan-27–2022 09:51:02 PM +UTC: Sent 16 voteProposal tx to QBridge contract of BSC by Qubit Relayer
  • A number of xETH tokens were minted by 16 voteProposal tx, and liquidity in Qubit was withdrawn using this as collateral

Exploit Method

The attacker called the QBridge deposit function on the ethereum network, which calls the deposit function QBridgeHandler.

QBridgeHandler should receive the WETH token, which is the original tokenAddress, and if the person who performed the tx does not have a WETH token, the transfer should not occur.

tokenAddress.safeTransferFrom(depositer, address(this), amount);

In the code above, tokenAddress is 0, so safeTransferFrom didn’t fail and the deposit function ended normally regardless of the amount value.

Additionally, tokenAddress was the WETH address before depositETH was added, but as depositETH is added, it is replaced with the zero address that is the tokenAddress of ETH.

In summary, the deposit function was a function that should not be used after depositETH was newly developed, but it remained in the contract.

Actions taken

  • The team is continuing to track the exploiter and monitor affected assets.
  • The team has contacted the exploiter to offer the maximum bounty as set by our program.
  • The team is cooperating with security and network partners, including Binance.
  • Supply, Redeem, Borrow, Repay, Bridge, and Bridge redemption functions are disabled until further notice. Claiming is available.

DISCLAIMER: The Information on this website is provided as general market commentary and does not constitute investment advice. We encourage you to do your own research before investing.

Join CoinCu Telegram to keep track of news: https://t.me/coincunews

Follow CoinCu Youtube Channel | Follow CoinCu Facebook page

Hazel

CoinCu News

Qubit Finance Qubit Finance Qubit Finance