Qubit Finance platform hacked for $80 million worth of cryptocurrency
A threat actor has used an exploit to steal approximately $80 million from Qubit Finance, a decentralized finance (DeFi) platform that allows users to loan and speculate on cryptocurrency price variations.
The hack took place late last night, on January 27, and was formally acknowledged by the platform within hours.
According to an incident report of the hack, Qubit said the attacker was able to steal 206,809 Binance coins (BNB) from its wallet using a vulnerability in one of its Ethereum blockchain contracts, which the company uses to process transactions for its users.
The attacker's address was identified last night, and the funds are still in the attacker's possession and haven't been laundered yet.
Since Qubit can't recover the funds on its own, the company has sent a message to the attacker using the "private note" feature of a blockchain transaction, offering to pay the hacker a bug bounty reward in the hopes of convincing the hacker to return the stolen funds.
The company later followed this statement up with a full public message posted on its Twitter account, asking the hacker again to get in contact with its team to disclose the bug and receive a bounty reward.
January 28, 2022
By doing so, Qubit has now joined a long list of cryptocurrency DeFi platforms that have gotten hacked and then begged hackers to return the funds, by agreeing to disguise any payments as bug bounty rewards, something that may not be legal in some jurisdictions.
The company has not returned a request for comment if the hacker has engaged in any communications so far.
If the hacker refuses to return the funds, the Qubit hack will also rank as one of the Top 10 largest hacks of a DeFi platform ever recorded.
In a conversation today, Tal Be'ery, CTO at cryptocurrency wallet app ZenGo, has also pointed out that Qubit's hack is part of a larger trend in the cryptocurrency industry.
"Recently a few bridge projects were hacked: Polychain MATIC, Multichain and now Qubit," Be'ery said.
"Bridge projects, 'moving' tokens and coins from one blockchain to another, seem to be more vulnerable to attacks as they don't move the tokens themselves, but instead use a deposit function to exchange the coin to some internal representation, and do their internal cross-chain accounting with this representation," he added.
"If there is an error there, the attacker can 'print' money in the internal representation and then withdraw it for 'real' money," Be'ery said, explaining the base mechanism behind the hacker's exploit and how they managed to steal Qubit's funds.
Besides Qubit's own report, blockchain security firm CertiK has also published an alternative analysis of the Qubit Finance exploit—if readers are looking to learn more about the technical side of the attack.
Catalin Cimpanu is a cybersecurity reporter for The Record. He previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.