Binance Smart Chain-based Qubit Finance was exploited for over $80 million by attackers on Friday morning, developers confirmed in a post.
- “The hacker minted unlimited xETH to borrow on BSC. The team is currently working with security and network partners on next steps,” developers said in a tweet.
The protocol was exploited by;
0xd01ae1a708614948b2b5e0b7ab5be6afa01325c7
The hacker minted unlimited xETH to borrow on BSC.
The team is currently working with security and network partners on next steps.
We will share further updates when available.— Qubit Finance (@QubitFin)
- Addresses connected to the attack show 206,809 binance coins (BNB) were drained from Qubit’s QBridge protocol. The assets are worth over $80 million at current prices, security firm PeckShield confirmed in a tweet.
- Decentralized finance (DeFi) projects like Qubit Finance rely on smart contracts instead of third parties to offer financial services, such as trading, lending, and borrowing, to users.
- Qubit allows users to supply their crypto holdings to the protocol and borrow loans against this collateral for a fixed fee. QBridge is a cross-chain feature that enables users to collateralize their assets on other networks without moving assets from one chain to another.
- PeckShield, which audited Qubit’s smart contracts, said the QBridge was hacked to mint a “huge amount of xETH collateral” that was then used to drain the entire amount of BNB held on QBridge.
- In an incident report, security firm CertiK said the attacker used a deposit function in the QBridge contract and illicitly minted 77,162 qXETH, an asset that represents ether bridged via Qubit. Attackers tricked the protocol to show that they had deposited funds without making an actual deposit.
2. The Ethereum QBridge captured the Deposit event and minted $qXETH for the hacker on #BSC.
The QBridge treats the Deposit event as an event of depositing #ETH because the `deposit` and `depositETH` methods in the #QBridge contract emit the same event. pic.twitter.com/4TzsZqOOtI
— CertiK Security Leaderboard (@CertiKCommunity)
- These steps were repeated several times, and the attacker then converted all the assets to BNB, CertiK said in a tweet.
- The exploit is the seventh-largest attack on a DeFi protocol by the amount of funds stolen, as per data from analytics tool DeFi Yield.
- Qubit’s QBT is down 25% in the past 24 hours, as per data from CoinGecko. Much of the fall occurred after this morning’s incident was made public.
- Qubit developers continue to monitor the situation at the time of writing, as per a tweet.