DeFi protocol Qubit Finance exploited for $80 million in a recent hack
The attacked DeFi protocol on Binance Smart Chain lost 206.809 BNB.
Losing $80 million worth of BNB tokens in a recent hack, Qubit Finance joined the unfortunate list of exploited DeFi protocols on Binance Smart Chain (BSC).
The DeFi lending protocol reported the incident in a Twitter post, revealing that the malicious attacker exploited a vulnerability on the Qubit Bridge–a cross-chain bridge to Ethereum.
What happened?
The Qubit team flagged the hacker’s address and published a detailed report which includes an analysis of the attack.
Protocol Exploit Report
This report includes an analysis of the attack in its entirety in order to ascertain the nature of the exploit and, to prevent any similar exploits in the future.https://t.co/0152W0X553— Qubit Finance (@QubitFin) January 28, 2022
QBridge enables users to deposit WETH from Ethereum mainnet to Qubit’s BSC-based smart contract, and mint xETH that can be used as collateral to borrow on BSC.
However, the attacker exploited the vulnerability and managed to mint unlimited xETH–without depositing WETH.
Using the minted xETH as collateral, the attacker drained 206,809 BNB from the lending protocol, worth roughly $80 million.
The Qubit team is continuing to monitor the affected assets, which, at the time of writing, haven’t moved from the flagged address.
Qubit attempts to contact the attacker
The exploited protocol also made attempts to contact the attacker.
In an on-chain message, the team offered a bounty of $250.000 in return for the stolen assets–the maximum amount set by Qubit’s ongoing bug bounty program.
[Our message to the exploiter]
The team is glad to have a conversation with you.https://t.co/4SxtuD6pQY pic.twitter.com/V9bICKvWda— Qubit Finance (@QubitFin) January 28, 2022
“We pursue you to negotiate directly with us before taking any further action. The exploit and loss of funds have a profound effect on thousands of real people,” wrote the protocol on Twitter–urging the attacker to cooperate.
“If the maximum bounty offer is not what you are looking for, we are open to having a conversation. Let’s figure out a solution,” the team added.
While the team continues cooperating with security and network partners, including Binance, the protocol disabled Supply, Redeem, Borrow, Repay, Bridge, and Bridge redemption functions until further notice.
According to DeFi Yield’s REKT Database, Qubit Finance exploit ranks as the seventh-largest attack by the amount stolen.