A hacker has stolen $80 million in Binance Coin (BNB) after exploiting a critical vulnerability issue in the smart contract code deployed by decentralized finance (DeFi) protocol Qubit Finance on its cross-chain bridge.
Hacker Takes Over 200,00 BNB From BSC Bridge Protocol
According to a tweet from DeFi protocol Qubit Finance, a hacker has stolen some 206,809 BNB tokens from its cross-chain bridge platform called QBridge. The tokens are currently worth about $80 million as of the time of writing this report.
Qubit disclosed details regarding the incident in the early hours of Friday, January 28, 2022. Since the news broke, Qubit’s QBT price has dropped some 25 percent, as per data from on-chain aggregator CoinGecko.
The hacker reportedly took advantage of a bug in the deposit function deployed by QBridge and tricked the platform’s smart contract into accepting a false event. Qubit’s bridge allows users to swap their Ethereum-based ERC-20 tokens for BEP-20 tokens, usable on the Binance Smart Chain.
A post-mortem analysis report from on-chain security outfit CertiK shows that the hacker leveraged a logical error in Qubit’s code to input malicious data and create a false deposit transaction, when in fact no assets were provided. An excerpt from the report reads:
“At 9:34 PM UTC on January 27th, 2022, an attacker began their exploit of Qubit Finance’s Ethereum-BSC bridge. This exploit ended up netting them 77,162 qXETH ($185 million), which they then used to borrow and convert 15,688 wETH ($37.6 million), 767 BTC-B ($28.5 million), approximately $9.5 million in various stablecoins, and ~$5 million in CAKE, BUNNY, and MDX.”
The hacker supposedly repeated the process and converted part of the funds to BNB. Qubit’s team has since suspended activities on the bridge and notified its users. The protocol also attempted to contact the hacker and has offered a $250,000 bounty in return for the stolen funds.
CertiK has tagged the hack as the “largest exploit of 2022 to date.” with total value lost (TVL) at around $80 million.
Millions Lost in DeFi Security Breaches
The hack on Qubit Finance is the latest vulnerability concern to surface in the DeFi space. Popular exchange Crypto.com recently experienced unauthorized withdrawals of users’ Bitcoin (BTC) and Ethereum (ETH) holdings which resulted in a loss of around $35 million.
BTCManager previously reported that DeFi lending protocol Cream Finance lost $18 million in a flash loan attack back in August 2021. In a similar incident, hackers stole $4.5 million in digital assets from a project called xToken.
Also, data from cyber security firm Chainalysis shows that 72 percent of the stolen funds acquired from cryptocurrency-related scams in 2021, came directly from DeFi protocols.