Lending platform Qubit Finance based on Binance Smart Chain (BSC) has been hacked. According to information security and blockchain analytics company PeckShield, the attackers withdrew digital assets worth about $80 million from the project pool.
It seems the QBridge of @QubitFin is hacked to mint huge amount of xETH collateral and drain the pool funds about $80M. Please note we audited the Qubit lending, not the QBridge! More to come...
— PeckShield Inc. (@peckshield) January 27, 2022
Analysts noted that the hackers exploited the QBridge cross-chain service, which allowed them to issue a “huge” amount of xETH tokens. The latter were used to secure an illegitimate loan on the platform.
PeckShield emphasized that they audited smart contracts related to the landing component of the project. They did not check the QBridge codebase.
The Qubit Finance DeFi platform allows you to take loans secured by digital assets. The QBridge solution provides the ability to use cryptocurrencies outside of the BSC to secure loans. At the same time, they do not need to be moved from one blockchain to another.
CertiK explained that the exploit allowed attackers to issue xETH without actually making a deposit. They then converted the assets into BNB.
Incident Analysis
— CertiK Security Leaderboard (@CertiKCommunity) January 28, 2022
The hacker called `deposit()` in the QBridge #eth contract w/o really making any deposit and emitted the Deposit event
The exploit was caused by `tokenAddress.safeTransferFrom` in QBridgeHandler.sol which didn't revert the tx when the tokenAddress is the 0x0. pic.twitter.com/jBpm2W3tUP
The address associated with the attack contains 206,809 BNB, or more than $79.23 million at the exchange rate at the time of writing. This is by far the largest exploit of 2022 to date.
The project team confirmed the information about the hack. The developers contacted the hackers and offered them a reward to "minimize" the negative impact on the community.
[Our message to the exploiter]
— Qubit Finance (@QubitFin) January 28, 2022
The team is glad to have a conversation with you.https://t.co/4SxtuD6pQY pic.twitter.com/V9bICKvWda
According to the project blog, its team monitors the actions of attackers and "monitors the affected assets." Developers are working with security partners, including Binance representatives. Most of the platform's features are temporarily disabled.
Against the backdrop of the incident, the price of the Qubit project token (QBT) collapsed by 26%, according to CoinMarketCap.
Recall that in December 2021, cryptocurrency exchange AscendEX (formerly Bitmax) was hacked, as a result of which assets worth $77 million were stolen from its hot wallets.
Think we missed something? Let us know in the comment section below.