An exploit in decentralized finance () protocol Qubit Finance enabled one hacker to walk away with $80 million in stolen crypto yesterday.
The specific smart contract flaw that enabled the attack was located in X-Bridge, a cross-chain bridge that facilitates easy token swaps between and .
This flaw enabled the attacker to input malicious data without depositing Ethereum and receive $185 million worth in Qubit xETH (an asset that represents bridged Ethereum on the Binance Smart Chain) in return.
The attacker then used this money as collateral to “borrow” about $80 million worth of crypto from various lending pools.
The full breakdown of purloined assets amounts to 15,688 wETH ($37.6 million), 767 BTC-B ($28.5 million), approximately $9.5 million in , and $5 million in CAKE, BUNNY, and MDX tokens, according to audit firm CertiK.
Since the attacker never converted their qXETH “collateral,” the total cost of the theft to Qubit Finance is $80 million.
Qubit offers crypto bounty
Qubit Finance published a blog post today with a play-by-play breakdown of the attack in its entirety.
On Qubit’s Twitter page, the team also tweeted that it is “glad to have a conversation with [the attacker].” It attached a screenshot message saying that Qubit is “prepared to offer [the attacker] the maximum bounty for the revealed exploit” in order to “minimize the effect on the community.”
Blockchain security analysts Peckshield tweeted on Friday morning that it had audited Qubit Finance’s lending protocol and will provide further details soon.
It seems the QBridge of @QubitFin is hacked to mint huge amount of xETH collateral and drain the pool funds about $80M. Please note we audited the Qubit lending, not the QBridge! More to come…
— PeckShield Inc. (@peckshield) January 27, 2022
While this attack has been the largest this year, it wasn’t the first cross-chain hack in 2022.
Last week, a white-hat hacker stole $1.73 million from Multichain before returning $900,000 and pocketing the rest as a bounty.
As different blockchains become popular and cross-chain activity grows alongside it, projects like Qubit and Multichain are expected to become key targets for hackers.