Decentralized Finance (DeFi) platforms have been hot targets for threat actors, and Qubit Finance has become the latest victim.
The cryptocurrency lending platform announced via Twitter that a hacker stole Binance Coin totaling over $80 million through its QBridge protocol
The company said they were tracking the hacker and monitoring affected assets, but also pleaded with them to return the stolen funds:
They also added this:
"It's not too late to return to funds. We will pay the maximum bounty reward as mentioned as well as not seek any legal charges if you return the funds and do right by the community."
But apparently, the maximum bounty reward was not enough to get the hacker to negotiate, so Qubit came up with a better offer:
Even one million dollars wasn't enough for the hacker to change his stance. So Qubit doubled down:
Would you return a stolen $80 million in exchange for a worry free $2 million?
Hacker steals $80 million from Qubit
In a blog post, Qubit explained how the hacker managed to steal so much money from its platform:
"The attacker called the QBridge deposit function on the Ethereum network, which calls the deposit function QBridgeHandler.
QBridgeHandler should receive the WETH token, which is the original tokenAddress, and if the person who performed the tx does not have a WETH token, the transfer should not occur.
tokenAddress.safeTransferFrom(depositer, address(this), amount);
In the code above, tokenAddress is 0, so safeTransferFrom didn't fail and the deposit function ended normally regardless of the amount value.
Additionally, tokenAddress was the WETH address before depositETH was added, but as depositETH is added, it is replaced with the zero address that is the tokenAddress of ETH.
In summary, the deposit function was a function that should not be used after depositETH was newly developed, but it remained in the contract."
According to a report released by Chainalysis in 2021, $2.2 billion was outright stolen from DeFi platforms last year. That trend appears to be continuing in 2022.
