Hackers have stolen $80 million from Qubit decentralized finance (DeFi) and cryptocurrency platform according to a statement posted by the company in late January. Qubit has also offered the cybercriminals the chance to legally convert the heist into a maximum bug bounty, which is worth $250,00.
Qubit operates as a bridge that allows users to make deposits in one cryptocurrency and withdraw in another. It works between Ethereum and the Binance Smart Chain (BSC) network.
According to blockchain security firm CertiK, the hackers took advantage of a logical error in Qubit Finance’s code. The DeFi platform said the smart contract software bug allowed the hacker to transfer about 206,809 Binance coins worth about $80 million after depositing 0 ETH.
“The attacker called the ‘deposit()’ function in the QBridge contract without any ETH attached in this transaction,” CertiK wrote.
The hackers injected malicious data and the deposit logic failed to invoke a function to verify the data injected. The report noted that the ‘tokenAddress.safeTransferFrom()’ fails to revert when the ‘tokenAddress’ parameter is zero.
In addition to investigating the attack, cybersecurity researchers also discovered two more logical errors attackers could exploit. One of these allows an attacker to deposit ETH and ERC20 tokens using the same event.
Similarly, the safeTransferFrom function does not revert when an externally owned account (EOA) deposits the funds.
CertiK researchers pointed out that the DeFi platform attack taught the crypto community crucial lessons moving forward.
“As we move from an Ethereum-dominant world to a truly multi-chain world, bridges will only become more important,” CertiK wrote. “People need to move funds from one blockchain to another, but they need to do so in ways that are not susceptible to hackers who can steal more than [$80 million].”
Due to the attack, Qubit has disabled the Redeem, Borrow, Repay, Bridge, and Bridge redemption functionalities indefinitely.
The platform left communication open for the hackers.
“.. If the maximum bounty offer is not what you are looking for, we are open to have a conversation,” tweeted Qubit Finance.
Later, the company disclosed that the attacker had swapped all the stolen assets into a single ETH wallet. Qubit promised to commit resources to solve the issue and expressed its willingness to compensate the victims.
Protecting Your Cryptocurrency
Cryptocurrency and the blockchain stand to be a major driving factor in the technology of the future. However this popularity has attracted an element of cybercrime. There are several tools internet users should use to increase their online protection. One of these tools is SaferNet.
SaferNet is the perfect solution to the cybersecurity issues that individuals, families, and businesses face today. It not only connects every device using a secure, 24/7 always on, military grade VPN, but it also stops outside cyberthreats, malware and viruses as well. On SaferNet, all users are protected anywhere in the world, all the time, on any cellular or Wi-Fi network. In addition to SaferNet’s VPN and cyber protection, it also offers a range of employee or parental/family internet controls including internet filtering, monitoring, scheduling, and blocking access to websites or even entire website categories
Typically, a user would need 3 separate services for a VPN, Malware Protection, and Internet Controls; SaferNet offers all 3 features in one service. SaferNet truly is an endpoint security presence that can be implemented in minutes around the world, on phones, laptops, tablets, and computers at an economical price point that caters to all internet users. SaferNet guarantees a smooth setup and installation process that takes only minutes, and an easily accessible control hub for you to monitor all your employee’s or family members devices; including activity, time spent online, and threats blocked.