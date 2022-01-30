High-profile heists are becoming more common in the cryptocurrency world

High-profile heists or hacks are becoming more common in the cryptocurrency world, and Qubit Finance is the most recent decentralised finance (DeFi) platform to be targeted by hackers. They were able to gain access to Qubit Finance, which is built on the Binance Smart Chain, and steal approximately $80 million (about Rs 600 crores). Qubit's QBridge protocol was robbed of 2,06,809 Binance Coin (BNB) by the addresses associated with the heist. This is the largest cryptocurrency heist in 2022 so far. Qubit Finance admitted to the heist in a tweet. “The team is currently working with security and network partners on next steps. We will share further updates when available,” stated the tweet.

The protocol was exploited by;

0xd01ae1a708614948b2b5e0b7ab5be6afa01325c7

The hacker minted unlimited xETH to borrow on BSC.

The team is currently working with security and network partners on next steps.

We will share further updates when available. — Qubit Finance (@QubitFin) January 28, 2022

According to security firm PeckShield, the assets were valued over $80 million at current rates. PeckShield had audited Qubit's smart contracts. The security firm also stated that the QBridge was hacked to mint a “huge amount of xETH collateral” that was then used to drain the entire amount of Binance Coin held on QBridge.

It seems the QBridge of @QubitFin is hacked to mint huge amount of xETH collateral and drain the pool funds about $80M. Please note we audited the Qubit lending, not the QBridge! More to come... — PeckShield Inc. (@peckshield) January 27, 2022

DeFi platforms such as Qubit Finance use smart contracts rather than third parties to provide customers with financial services such as trading, lending, and borrowing. Users can supply their cryptocurrency holdings to the Qubit protocol and borrow money against those for a predetermined amount. QBridge is a cross-chain functionality that allows users to collateralise their assets on other networks without having to move their assets between chains.

The attacker used a deposit option in the QBridge contract to fraudulently generate 77,162 qXETH, which is an asset representing Ether bridged via Qubit, according to an “incident analysis” by security firm CertiK. The procedure was tricked into assuming that attackers had made a deposit when they hadn't. CertiK stated that the hacker repeated these acts several times, converting all of the assets to Binance Coin.

The hacker called `deposit()` in the QBridge #eth contract w/o really making any deposit and emitted the Deposit event



The exploit was caused by `tokenAddress.safeTransferFrom` in QBridgeHandler.sol which didn't revert the tx when the tokenAddress is the 0x0. pic.twitter.com/jBpm2W3tUP — CertiK Security Leaderboard (@CertiKCommunity) January 28, 2022

The Qubit team issued a statement to inform clients that the hacker and their impacted assets were being monitored. The blog post also states that they have contacted the hacker to provide the “maximum bounty offer” as calculated by their programme.

According to data from CoinGecko at the time of writing, Qubit's QBT was down 34.6 per cent. Much of the fall happened after the heist came to light.