Hackers Steal Over $80 Million From Qubit
17th February 2022
Cybercriminals have stolen over $80 million (approx £59 million) from Qubit’s decentralised finance (DeFi) platform.
According to CertiK, a blockchain security firm revealed that the cybercriminals exploited a logical error in Qubit's code, allowing the responsible group to transfer over 206.809 Binance Coins with a total value of $80 million.
The cybercriminals injected malicious code into the platform and its deposit logic failed to invoke a function to verify the injected data—the function "tokenAddress.safeTransferFrom()" failed to revert to default when the 'tokenAddress' parameter was zero, which allowed attackers to make the transaction.
Furthermore, a closer examination of the platform's data revealed two more logical errors that could have been exploited.
One error allows an attacker to deposit ETH and ERC20 tokens. Meanwhile, the other vulnerability caused the “safeTransferFrom” function to not revert to the default when an externally owned account EOA deposits the funds.
What has Qubit finance done to resolve the issue?
Besides tracking the perpetrators, Qubit has disabled multiple functionalities in its platform, including Redeem, Repay, Bridge, Borrow, and Bridge Redemption until further notice.
Furthermore, the company claimed to have found the $80 million worth of assets still in accounts and has requested the attackers return them in exchange for a negotiable maximum bounty offer.
Qubit has even offered the cybercriminals the opportunity to legally convert the loot into a maximum bug bounty worth $250,000 (approx. £184,981) and has promised to compensate the victims of the attack.
What does this mean for decentralised finance platforms?
The main aim of DeFi platforms is to decentralise the control banks and other financial institutions have on financial products and services, giving more people access to world-class financial services.
While the technology has promise, it has its share of security problems.
The latest attack on Qubit is the seventh-largest to have occurred on a DeFi platform.
Other notable attacks include the Meerkat Finance exploit—which resulted in over $31 million (approx. £22 million) in losses—and the Poly Network exploit—where over $602.2 million (approx £445.5 million) were stolen by cybercriminals.
DeFi platforms have looked to rectify these problems by converting these illegal transactions into bounty programs and allowing cybercriminals to legally withdraw their stolen assets, reducing loss to the platform.
But, this practice is not a well-regarded option and treads the grey area between legal and illegal.
Some DeFi platforms have even attempted to negotiate with the criminals, but such attempts have yielded limited success.
This indicates that decentralised finance platforms need to invest in more cybersecurity initiatives that allow them to reduce cyber exposure in an increasingly complex financial ecosystem.