Hackers drain $80 million from DeFi platform Qubit Finance pool

The Qubit Finance lending platform on Binance Smart Chain (BSC) was hacked. PeckShield estimates that the attackers drained about $80 million worth of the project’s digital assets from its pool.

It seems the QBridge of @QubitFin is hacked to mint huge amount of xETH collateral and drain the pool funds about $80M. Please note we audited the Qubit lending, not the QBridge! More to come…

— PeckShield Inc. (@peckshield) January 27, 2022

Analysts noted that the hackers exploited a cross-chain exploit in QBridge, which allowed them to mint a ‘huge’ amount of xETH tokens. The latter were used to collateralise an illegitimate loan on the platform.

PeckShield stressed that it conducted an audit of the smart contracts related to the lending component of the project. It did not audit the QBridge codebase.

The DeFi platform allows borrowers to take loans against digital assets. The QBridge solution enables using cryptocurrencies as collateral for loans outside the BSC, without the need to move assets from one blockchain to another.

CertiK explained that the exploit allowed the attackers to mint xETH without actually depositing collateral. They then converted the assets into BNB.

2. The Ethereum QBridge captured the Deposit event and minted $qXETH for the hacker on #BSC.

The QBridge treats the Deposit event as an event of depositing #ETH because the `deposit` and `depositETH` methods in the #QBridge contract emit the same event. pic.twitter.com/4TzsZqOOtI

— CertiK Security Leaderboard (@CertiKCommunity) January 28, 2022

The address associated with the attack holds 206,809 BNB — more than $79.23 million at the time of writing.

The project team confirmed the hack. The developers reached out to the attackers and offered them a reward to “minimise” the negative impact on the community.

[Our message to the exploiter]
The team is glad to have a conversation with you.https://t.co/4SxtuD6pQY pic.twitter.com/V9bICKvWda

— Qubit Finance (@QubitFin) January 28, 2022

According to the project’s blog, its team tracks the attackers’ actions and “monitors” the affected assets. Developers are cooperating with security partners, including Binance representatives. A large portion of the platform’s functionality has been temporarily disabled.

In the wake of the incident, the price of the Qubit token (QBT) fell by 26%, according to CoinGecko.

Back in December 2021, hackers drained $30 million from the DeFi platform Grim Finance in digital assets.

Follow ForkLog news on VK.