- The hacker minted unlimited xETH to borrow on BSC
- Attack ranks as the seventh-biggest on a DeFi protocol
Qubit Finance, which issues the Binance Smart Chain-based token QBT, suffered a hack for more than $80 million this morning, January 28, developers confirmed in a post. They tweeted:
The hacker minted unlimited xETH to borrow on BSC. The team is currently working with security and network partners on next steps.
Hackers drained 206K+ Binance Coin
Addresses linked to the attack show the hackers drained 206,809 Binance Coin (BNB) from Qubit’s QBridge protocol. At current prices, these are worth over $80 million according to security firm PeckShield.
Qubit Finance and similar decentralized finance (DeFi) projects don’t resort to third parties to provide financial services. Instead, they rely on smart contracts. These services including lending, trading, and borrowing.
Users borrow loans against collateral in crypto
On Qubit, you can provide crypto to the protocol and borrow loans against it for a flat fee. Users can avail of QBridge, a cross-chain feature, to collateralize their assets on other networks without moving assets between chains.
According to PeckShield, QBridge was hacked to mint a large amount of xETH collateral. Then, the cybercriminals used this to drain all of the BNB on QBridge.
Security firm CertiK reported the hacker used a deposit function in the QBridge contract to mint 77,162 qXETH illegally. This asset represents ether bridged via the protocol. The attacker tricked the protocol into thinking a deposit had been made. CertiK added in a tweet:
The exploit was caused by tokenAddress.safeTransferFrom in QBridgeHandler.sol which didn’t revert the tx when the tokenAddress is the 0x0. The Ethereum QBridge captured the Deposit event and minted $qXETH for the hacker on #BSC. The QBridge treats the Deposit event as an event of depositing #ETH because the deposit
and depositETH
methods in the #QBridge contract emit the same event.
To convert all the assets to Binance Coin, the attacker repeated these steps several times. By the amount of stolen funds, the attack ranks as the seventh-biggest on a DeFi protocol, according to analytics tool DeFi Yield. The tool also provides the following data:
Total Funds Lost: $ 2,733,045,843
Total Funds Returned: $707,780,713
REKT Total: 2,684
ETH Dominance: 31,4%
The tool provides a list of the biggest crypto hacks in history, which is still topped by Poly Network. The next three positions are held by Vulcan Forged, Boy X Highspeed, and Cream Finance.
For better or for worse, most details around the incident were made public. According to Coin Market Cap, Qubit’s native token was trading for $0.0046 at time of writing with a 24-hour trading volume of $161,203. It has lost 25% in the last 24 hours.