Cybercriminals stole $80 million from the decentralized finance (DeFi) platform protocol Qubit Finance in what has been considered to be the seventh largest cyberattack targeting a DeFi platform in recent history.
According to reports, the threat actors exploited the protocol to drain 206,809 Binance coins via the platform’s QBridge deposit function – which is an Ethereum-based Binance Smart Chain bridge that enables the swapping of ERC-20 and BEP-20 tokens between two blockchains by users.
It turns out that the cyberattacker exploited a logical error in the DeFi platform’s code that provided them with an opportunity to key in malicious data and drain tokens on Binance Smart Chain when none had been deposited on Ethereum.
While reporting on the cyber incident, Qubit Finance tweeted a statement to reveal to the threat actor that they were well aware of what had happened, and called for a direct negotiation before deciding on the next course of action (See screenshot).
Figure 1: Screenshot of a Twitter statement posted by Qubit Finance.
In another tweet, the DeFi platform wrote:
“The protocol was exploited by; 0xd01ae1a708614948b2b5e0b7ab5be6afa01325c7.The hacker minted unlimited xETH to borrow on BSC. The team is currently working with security and network partners on next steps. We will share further updates when available.”
Further reports reveal that Qubit Finance went ahead to track the threat actor behind the attack and monitor the affected crypto assets. This includes their measure to contain the unfortunate situation by disabling a number of functions on the platform – including a number of account management features until a later date.
A Troubled Binance Smart Chain
Binance Smart Chain has had its fair share of challenges from the time it was launched in September 2020, lots of reports surfaced about its propensity to hacks, exploits and rug pulls that tainted its reputation.
In 2021, a long list of DeFi projects on Binance Smart Chain sustained cyberattacks and exploits that led to the loss of millions of dollars. Two notable examples can be drawn at a glance: Meerkat Finance lost $31 million in March 2021, while a Uranium Finance exploit in April 2021 cost protocol users $50 million.