An exploit in decentralized finance () protocol Qubit Finance enabled one hacker to walk away with $80 million in stolen crypto yesterday.
The specific smart contract flaw that enabled the attack was located in X-Bridge, a cross-chain bridge that facilitates easy token swaps between and .
This flaw enabled the attacker to input malicious data without depositing Ethereum and receive $185 million worth in Qubit xETH (an asset that represents bridged Ethereum on the Binance Smart Chain) in return.
The attacker then used this money as collateral to "borrow" about $80 million worth of crypto from various lending pools.
The full breakdown of purloined assets amounts to 15,688 wETH ($37.6 million), 767 BTC-B ($28.5 million), approximately $9.5 million in , and $5 million in CAKE, BUNNY, and MDX tokens, according to audit firm CertiK.
Since the attacker never converted their qXETH "collateral," the total cost of the theft to Qubit Finance is $80 million.
Qubit Finance published a blog post today with a play-by-play breakdown of the attack in its entirety.
On Qubit's Twitter page, the team also tweeted that it is "glad to have a conversation with [the attacker]." It attached a screenshot message saying that Qubit is "prepared to offer [the attacker] the maximum bounty for the revealed exploit" in order to "minimize the effect on the community."
[Our message to the exploiter]
The team is glad to have a conversation with you.https://t.co/4SxtuD6pQY pic.twitter.com/V9bICKvWda
— Qubit Finance (@QubitFin) January 28, 2022
Blockchain security analysts Peckshield tweeted on Friday morning that it had audited Qubit Finance's lending protocol and will provide further details soon.
It seems the QBridge of @QubitFin is hacked to mint huge amount of xETH collateral and drain the pool funds about $80M. Please note we audited the Qubit lending, not the QBridge! More to come…
— PeckShield Inc. (@peckshield) January 27, 2022
While this attack has been the largest this year, it wasn't the first cross-chain hack in 2022.
Last week, a white-hat hacker stole $1.73 million from Multichain before returning $900,000 and pocketing the rest as a bounty.
As different blockchains become popular and cross-chain activity grows alongside it, projects like Qubit and Multichain are expected to become key targets for hackers.
Copy article link