Hacking

Hackers stole $80M worth of cryptocurrency from the Qubit DeFi platform

Threat actors stole $80M worth of cryptocurrency from the Qubit DeFi platform by exploiting a flaw in the smart contract code used in an Ethereum bridge.

The DeFi platform Qubit Finance was victim of a cyber heist, threat actors stole around $80 million in cryptocurrency last week. The hack took place at around 5PM ET on the evening of January 27th, the attackers have exploited a flaw in the smart contract code used in an Ethereum bridge.

Qubit provides bridging services allowing its users to transfer funds to different blockchains, this means that that the deposits made in one cryptocurrency can be withdrawn in another. Qubit Finance operates a bridge between Ethereum and the Binance Smart Chain (BSC) network.

“The Qubit protocol was subject to an exploit to our QBridge deposit function” reads the incident report published by the company.

Researchers from blockchain security firm CertiK speculate that the attackers were able to exploit a security flaw in Qubit’s smart contract code that allowed them to invoke the deposit() function with malicious input data yet actually deposited 0 ETH and withdraw almost $80 million in Binance Coin in return.

At 9:34PM UTC on January 27th, 2022, an attacker began their exploit of Qubit Finance’s Ethereum-BSC bridge. This exploit ended up netting them 77,162 qXETH ($185 million), which they then used to borrow and convert 15,688 wETH ($37.6 million), 767 BTC-B ($28.5 million), approximately $9.5 million in various stablecoins, and ~$5 million in CAKE, BUNNY, and MDX.” read the analysis published by CertiK. “At $80 million TVL (Total Value Lost), this is by far the largest exploit of 2022 to date.”

CertiK analysts highlight the importance bridge services that allow investors to move funds among different blockchains.

The Record reported that attacker’s address was identified and threat actors have yet to launder the stolen funds. Qubit Finance published a Twitter to invite the threat actors to negotiate with the team.

The company is open to offer the attackers the maximum reward possible under their bug bounty program, which is $250,000.

Below is the Incident Timeline

  1. Jan-27–2022 09:18:55 PM +UTC: 0.8887725 ETH sent from tornado to attacker account
  2. Jan-27–2022 09:34:01 PM +UTC~Jan-27–2022 09:50:41 PM +UTC : Sent 16 deposit tx to QBridge of Ethereum
  3. Jan-27–2022 09:36:32 PM +UTC~Jan-27–2022 09:51:02 PM +UTC : Sent 16 voteProposal tx to QBridge contract of BSC by Qubit Relayer
  4. A number of xETH tokens were minted by 16 voteProposal tx, and liquidity in Qubit was withdrawn using this as collateral

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, REvil ransomware)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Pwn2Own Berlin 2025: total prize money reached $1,078,750

Pwn2Own Berlin 2025 wrapped up with $383,750 awarded on the final day, pushing the total…

4 hours ago

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 45

Security Affairs Malware newsletter includes a collection of the best articles and research on malware…

1 day ago

Security Affairs newsletter Round 524 by Pierluigi Paganini – INTERNATIONAL EDITION

A new round of the weekly SecurityAffairs newsletter arrived! Every week the best security articles…

1 day ago

Experts found rogue devices, including hidden cellular radios, in Chinese-made power inverters used worldwide

Chinese "kill switches" found in Chinese-made power inverters in US solar farm equipment that could…

1 day ago

US Government officials targeted with texts and AI-generated deepfake voice messages impersonating senior U.S. officials

FBI warns ex-officials are targeted with deepfake texts and AI voice messages impersonating senior U.S.…

2 days ago