en
Back to the list

Binance Smart Chain, Ethereum Crypto Bridge Hacked for $80 Million

source-logo  decrypt.co 28 January 2022 09:53, UTC

An exploit in decentralized finance (DeFi) protocol Qubit Finance enabled one hacker to walk away with $80 million in stolen crypto yesterday. 

The specific smart contract flaw that enabled the attack was located in X-Bridge, a cross-chain bridge that facilitates easy token swaps between Ethereum and Binance Smart Chain

This flaw enabled the attacker to input malicious data without depositing Ethereum and receive $185 million worth in Qubit xETH (an asset that represents bridged Ethereum on the Binance Smart Chain) in return.

The attacker then used this money as collateral to "borrow" about $80 million worth of crypto from various lending pools. 

The full breakdown of purloined assets amounts to 15,688 wETH ($37.6 million), 767 BTC-B ($28.5 million), approximately $9.5 million in stablecoins, and $5 million in CAKE, BUNNY, and MDX tokens, according to audit firm CertiK.

Since the attacker never converted their qXETH "collateral," the total cost of the theft to Qubit Finance is $80 million. 

Qubit offers crypto bounty

Qubit Finance published a blog post today with a play-by-play breakdown of the attack in its entirety. 

On Qubit's Twitter page, the team also tweeted that it is "glad to have a conversation with [the attacker]." It attached a screenshot message saying that Qubit is "prepared to offer [the attacker] the maximum bounty for the revealed exploit" in order to "minimize the effect on the community."

[Our message to the exploiter]
The team is glad to have a conversation with you.https://t.co/4SxtuD6pQY pic.twitter.com/V9bICKvWda

— Qubit Finance (@QubitFin) January 28, 2022

Blockchain security analysts Peckshield tweeted on Friday morning that it had audited Qubit Finance's lending protocol and will provide further details soon. 

It seems the QBridge of @QubitFin is hacked to mint huge amount of xETH collateral and drain the pool funds about $80M. Please note we audited the Qubit lending, not the QBridge! More to come...

— PeckShield Inc. (@peckshield) January 27, 2022

While this attack has been the largest this year, it wasn't the first cross-chain hack in 2022. 

Last week, a white-hat hacker stole $1.73 million from Multichain before returning $900,000 and pocketing the rest as a bounty.

As different blockchains become popular and cross-chain activity grows alongside it, projects like Qubit and Multichain are expected to become key targets for hackers.

decrypt.co