DeFi Platform Qubit Finance Hacked for $80 MillionIncident Is the Biggest DeFi Hack of 2022, Reportedly 7th Largest on Record
In the latest cyberattack targeting decentralized finance protocols, the money market platform Qubit Finance, which runs on the Binance Smart Chain, was hacked for more than $80 million, it confirmed via tweet late Thursday. Blockchain security experts say it is the largest DeFi hack of 2022, and according to data from DeFiYield, the seventh-largest exploit on record.
The DeFi space, which runs on decentralized applications, or DApps, running open-source software, has been a primary target among cybercriminals in recent months. These DApps, which do not rely on traditional intermediaries, are instead powered by peer-to-peer smart contracts. According to industry tracker DeFiPulse, nearly $77.5 billion is locked across these platforms.
In the latest instance, hackers stole 206,809 Binance Coin, which currently totals more than $80 million.
Qubit said via Twitter that the alleged hacker has the following address: 0xd01ae1a708614948b2b5e0b7ab5be6afa01325c7, and "minted [or validated] unlimited xETH to borrow on BSC."
In a Medium post on Friday, Qubit Finance said that the attacker "called the QBridge deposit function on the Ethereum network, which calls the deposit function QBridgeHandler. ... In summary, the deposit function was a function that should not be used after depositETH was newly developed, but it remained in the contract." A bridge - the target of this exploit - connects two or more blockchains, allowing for interoperability across the ledgers.
Qubit also says it is "continuing to track the exploiter and monitor affected assets." The protocol writes that it has "contacted the exploiter to offer the maximum bounty as set by our program," and that it is "cooperating with security and network partners, including Binance."
Qubit says its supply, redeem, borrow, repay, bridge and bridge redemption functions are disabled "until further notice."
And its note to the attacker, posted to Twitter, reads: "We propose you negotiate directly with us before taking any further action. The exploit and loss of funds have a profound effect on thousands of real people. … Let's figure out a solution."
Qubit Finance did not immediately respond to ISMG's request for comment on Friday.
CertiK, a blockchain security firm, says in its analysis provided to ISMG that the illicit activity began at 9:34 p.m. UTC on Jan. 27, first netting hackers 77,162 qXETH ($185 million), which was used to borrow and convert 15,688 wETH ($37.6 million), 767 BTC-B ($28.5 million), approximately $9.5 million in stablecoins, and approximately $5 million in other coins. The researchers confirm that the total value lost is $80 million.
"Essentially what the attacker did is take advantage of a logical error in Qubit Finance's code that allowed them to input malicious data and withdraw tokens on Binance Smart Chain when none were deposited on Ethereum," CertiK writes. "[And] all this, despite several fail-safes."
"The exploit of a cross-chain bridge highlights two things," CertiK experts say. "One, the importance of cross-chain bridges that facilitate interoperability between blockchains, and two, the importance of the security of these bridges."
They add: "As we move from an Ethereum-dominant world to a truly multi-chain world, bridges will only become more important. People need to move funds from one blockchain to another, but they need to do so in ways that are not susceptible to hackers who can steal more than $80 million."
"The Qubit team did the right thing and got their product audited before deployment, but the fact that it was still compromised underscores the adversarial nature of the DeFi markets," Connie Lam, head of CertiK's Incident Response Team, tells ISMG. "Each exploit is a lesson to other DeFi platforms, and while it's painful for the one that suffers the attack, the system as a whole grows stronger as it evolves to protect against known threats and attempts to stay one step ahead of nefarious actors."
Digital Currency Concerns
In a recent CertiK report, the firm said "centralization risks" and other code weaknesses were a main factor in $1.3 billion in cryptoassets lost to hacks, exploits and scams in 2021. Related losses rose from $500 million in 2020 (see: Report: DeFi Undermined by Centralization, Code Flaws).
Hacking concerns around crypto platforms were perhaps best illuminated in 2021, when a hacker - infamously dubbed "Mr. White Hat" - stole more than $600 million from Poly Network. The funds were gradually returned in the days that followed, although blockchain security experts suspect the hacker had trouble laundering the funds (see: Poly Network Says $600 Million in Cryptocurrency Stolen).
Federal leaders also continue to grapple with imminent cryptocurrency regulation. To some Republicans, stringent controls around the industry may stifle innovation. Others, including many Democrats, have backed comprehensive regulation of the space - citing massive volatility and security risks.
For one, Sen. Elizabeth Warren, D-Mass., has been an outspoken crypto critic, citing its price volatility and potential for overnight losses. She voiced these concerns to crypto executives during congressional hearings in 2021.
And Securities and Exchange Commission Chair Gary Gensler has been a proponent of more aggressive regulation - saying in 2021 that the space was "rife with fraud, scams and abuse" (see: SEC to Monitor Illicit Activity on DeFi Platforms).
Several in Congress have promised thorough regulatory proposals for crypto in 2022. And the White House is reportedly currently considering an executive order to de-risk cryptocurrencies.
CertiK's Lam tells ISMG that one of the next substantial focus areas for crypto security will come in the form of its interoperability.
"[It's] something we have our eyes on as one of the key trends of 2022 - and the first team to bring a secure, decentralized and user-friendly cross-chain bridge to market will reap the rewards," she says.