Blockchain & Cryptocurrency , Breach Notification , Cryptocurrency Fraud

DeFi Platform Qubit Finance Hacked for $80 Million

Incident Is the Biggest DeFi Hack of 2022, Reportedly 7th Largest on Record
DeFi Platform Qubit Finance Hacked for $80 Million
Source: vjkombajn_152 images via Pixabay

In the latest cyberattack targeting decentralized finance protocols, the money market platform Qubit Finance, which runs on the Binance Smart Chain, was hacked for more than $80 million, it confirmed via tweet late Thursday. Blockchain security experts say it is the largest DeFi hack of 2022, and according to data from DeFiYield, the seventh-largest exploit on record.

See Also: Live Webinar Tomorrow | Remote Employees & the Great Resignation: How Are You Managing Insider Threats?

The DeFi space, which runs on decentralized applications, or DApps, running open-source software, has been a primary target among cybercriminals in recent months. These DApps, which do not rely on traditional intermediaries, are instead powered by peer-to-peer smart contracts. According to industry tracker DeFiPulse, nearly $77.5 billion is locked across these platforms.

What Happened?

In the latest instance, hackers stole 206,809 Binance Coin, which currently totals more than $80 million.

Qubit said via Twitter that the alleged hacker has the following address: 0xd01ae1a708614948b2b5e0b7ab5be6afa01325c7, and "minted [or validated] unlimited xETH to borrow on BSC."

In a Medium post on Friday, Qubit Finance said that the attacker "called the QBridge deposit function on the Ethereum network, which calls the deposit function QBridgeHandler. ... In summary, the deposit function was a function that should not be used after depositETH was newly developed, but it remained in the contract." A bridge - the target of this exploit - connects two or more blockchains, allowing for interoperability across the ledgers.

Qubit also says it is "continuing to track the exploiter and monitor affected assets." The protocol writes that it has "contacted the exploiter to offer the maximum bounty as set by our program," and that it is "cooperating with security and network partners, including Binance."

Qubit says its supply, redeem, borrow, repay, bridge and bridge redemption functions are disabled "until further notice."

And its note to the attacker, posted to Twitter, reads: "We propose you negotiate directly with us before taking any further action. The exploit and loss of funds have a profound effect on thousands of real people. … Let's figure out a solution."

Qubit Finance did not immediately respond to ISMG's request for comment on Friday.

Screengrab of Qubit's Medium post (Source: Qubit Finance/Medium)

Incident Analysis

CertiK, a blockchain security firm, says in its analysis provided to ISMG that the illicit activity began at 9:34 p.m. UTC on Jan. 27, first netting hackers 77,162 qXETH ($185 million), which was used to borrow and convert 15,688 wETH ($37.6 million), 767 BTC-B ($28.5 million), approximately $9.5 million in stablecoins, and approximately $5 million in other coins. The researchers confirm that the total value lost is $80 million.

"Essentially what the attacker did is take advantage of a logical error in Qubit Finance's code that allowed them to input malicious data and withdraw tokens on Binance Smart Chain when none were deposited on Ethereum," CertiK writes. "[And] all this, despite several fail-safes."

"The exploit of a cross-chain bridge highlights two things," CertiK experts say. "One, the importance of cross-chain bridges that facilitate interoperability between blockchains, and two, the importance of the security of these bridges."

They add: "As we move from an Ethereum-dominant world to a truly multi-chain world, bridges will only become more important. People need to move funds from one blockchain to another, but they need to do so in ways that are not susceptible to hackers who can steal more than $80 million."

"The Qubit team did the right thing and got their product audited before deployment, but the fact that it was still compromised underscores the adversarial nature of the DeFi markets," Connie Lam, head of CertiK's Incident Response Team, tells ISMG. "Each exploit is a lesson to other DeFi platforms, and while it's painful for the one that suffers the attack, the system as a whole grows stronger as it evolves to protect against known threats and attempts to stay one step ahead of nefarious actors."

Digital Currency Concerns

In a recent CertiK report, the firm said "centralization risks" and other code weaknesses were a main factor in $1.3 billion in cryptoassets lost to hacks, exploits and scams in 2021. Related losses rose from $500 million in 2020 (see: Report: DeFi Undermined by Centralization, Code Flaws).

Hacking concerns around crypto platforms were perhaps best illuminated in 2021, when a hacker - infamously dubbed "Mr. White Hat" - stole more than $600 million from Poly Network. The funds were gradually returned in the days that followed, although blockchain security experts suspect the hacker had trouble laundering the funds (see: Poly Network Says $600 Million in Cryptocurrency Stolen).

Federal leaders also continue to grapple with imminent cryptocurrency regulation. To some Republicans, stringent controls around the industry may stifle innovation. Others, including many Democrats, have backed comprehensive regulation of the space - citing massive volatility and security risks.

For one, Sen. Elizabeth Warren, D-Mass., has been an outspoken crypto critic, citing its price volatility and potential for overnight losses. She voiced these concerns to crypto executives during congressional hearings in 2021.

And Securities and Exchange Commission Chair Gary Gensler has been a proponent of more aggressive regulation - saying in 2021 that the space was "rife with fraud, scams and abuse" (see: SEC to Monitor Illicit Activity on DeFi Platforms).

Several in Congress have promised thorough regulatory proposals for crypto in 2022. And the White House is reportedly currently considering an executive order to de-risk cryptocurrencies.

CertiK's Lam tells ISMG that one of the next substantial focus areas for crypto security will come in the form of its interoperability.

"[It's] something we have our eyes on as one of the key trends of 2022 - and the first team to bring a secure, decentralized and user-friendly cross-chain bridge to market will reap the rewards," she says.


About the Author

Dan Gunderman

Dan Gunderman

News Desk Staff Writer

As staff writer on the news desk at Information Security Media Group, Gunderman covers governmental/geopolitical cybersecurity updates from across the globe. Previously, he was the editor of Cyber Security Hub, or CSHub.com, covering enterprise security news and strategy for CISOs, CIOs and top decision-makers. He also formerly was a reporter for the New York Daily News, where he covered breaking news, politics, technology and more. Gunderman has also written and edited for such news publications as NorthJersey.com, Patch.com and CheatSheet.com.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.