DeFi platform Qubit Finance begs hacker to return $80 million in stolen funds

"The exploit and loss of funds have a profound effect on thousands of real people," the company said in a message to the hackers.
Written by Jonathan Greig, Contributor

Qubit Finance took to Twitter last night to beg hackers to return more than $80 million in stolen cryptocurrency this week. 

On Thursday, the DeFi platform said their protocol was exploited by a hacker who eventually stole 206,809 binance coins from Qubit's QBridge protocol, worth more than $80 million according to PeckShield. An hour after the first message, the company explained that they were tracking the exploiter and monitoring the stolen cryptocurrency.

They noted that they contacted the hacker and offered them the maximum bug bounty in exchange for a return of the funds, something a number of other hacked DeFi platforms have tried to middling success. 

They shared multiple messages on Twitter that they purportedly sent to the hacker offering a bug bounty of $250,000 and begging for a return of the stolen funds. 

"We propose you negotiate directly with us before taking any further action. The exploit and loss of funds have a profound effect on thousands of real people. If the maximum bounty offer is not what you are looking for, we are open to have a conversation. Let's figure out a situation," the Qubit Finance Team wrote. 

The company later explained in a blog post that their Qubit protocol "was subject to an exploit to our QBridge deposit function."

"The attacker called the QBridge deposit function on the ethereum network, which calls the deposit function QBridgeHandler. QBridgeHandler should receive the WETH token, which is the original tokenAddress, and if the person who performed the tx does not have a WETH token, the transfer should not occur," the company explained. 

"In summary, the deposit function was a function that should not be used after depositETH was newly developed, but it remained in the contract. The team is cooperating with security and network partners, including Binance. Supply, Redeem, Borrow, Repay, Bridge, and Bridge redemption functions are disabled until further notice. Claiming is available. We are continuing to investigate and are in communications with Binance."

Blockchain security company CertiK released a detailed explanation of how the attack occurred and has been tracking the stolen funds as the hackers move them to different accounts.

"For the non-technical readers, essentially what the attacker did is take advantage of a logical error in Qubit Finance's code that allowed them to input malicious data and withdraw tokens on Binance Smart Chain when none were deposited on Ethereum," CertiK explained.

DeFiYield keeps a running list of attacks on DeFi platforms, ranking the attack on Qubit as the seventh largest after Compound Labs, BadgerDAO, Cream Finance, Boy X Highspeed, Vulcan Forged, and Poly Network. The list does not include other notable attacks on Grim Finance and AscendEX

This week, blockchain analysis firm Chainalysis released a report that said more cryptocurrency was stolen from DeFi protocols than any other type of platform last year. 

"Many of the hacks we saw this year were of DeFi protocols, so it makes sense that the funds were sent to DeFi services that can handle large amounts of liquidity from really any token you can imagine," Kim Grauer, head of research at Chainalysis, told ZDNet. "We also know that criminals are always the fastest to adapt to the use of new technologies to evade detections, and this year was no different."

In another report released earlier this year, Chainalysis said at least $2.2 billion was outright stolen from DeFi protocols in 2021.

Editorial standards