Hack Track: Analysis of Qubit Finance Exploit

On January 27, 2022, an attacker stole $80 million from the decentralized lending and borrowing platform, Qubit Finance. Exploiting Qubit’s Finance’s QBridge protocol, the attacker drained 206,809 Binance coins (BNB) from the platform. The QBridge protocol is an Ethereum-Binance Smart Chain bridge that facilitates the swapping of tokens from Ethereum (ETH) to Binance Smart Chain (BSC) blockchain. The protocol is implemented as a set of smart contracts built on top of the BSC.

According to DeFiYield’s Rekt database — a database of hacks, scams, and exploits — this is the seventh-largest DeFi hack ever. Of late there has been a rapid increase in global blockchain hacking incidents. Reportedly, both the crypto and the DeFi ecosystems have witnessed losses exceeding  $10.2 billion over the past year, resulting from hacks, scams, and other malicious activities.

In particular, there has been a rise in hacking incidents suffered by bridge platforms. Bridges between chains are often more susceptible to exploits as they require more interactions and contract approvals than the other protocols. Last year, the Poly Network’s cross-chain bridge was the victim of an exploit that allowed a hacker to drain the protocol of over $600 million worth of assets. Other bridging platforms that have been recently hacked are Polygon [MATIC] and MultiChain.

What happened?

On January 28, 2022, Qubit Finance identified the address of the attacker: 0xd01ae1a708614948b2b5e0b7ab5be6afa01325c7  and stated that the attacker had minted an unlimited amount of Xplosive Ethereum (xETH) to borrow tokens on BSC.

CertiK, a leading blockchain security-focused landing platform published an analysis of the exploit. As per CertiK’s analysis, a logical error in Qubit Finance’s code allowed the attackers to input malicious data and withdraw tokens on Binance Smart Chain (BSC) without depositing corresponding Ethereum tokens (ETH). Further, Qubit Finance its incident report highlighted that the attacker “called the QBridge deposit function on the ethereum network, which calls the deposit function QBridgeHandler.”

CertiK broke down the attacker’s actions in a series of steps. Firstly, The attacker called the deposit () function in the QBridge contract without attaching the corresponding ETH in this transaction. A data parameter has to be set to determine the amount of ETH deposited and to subsequently emit an event reflecting the amount.  On BSC, a certain amount of Qubit xETH (qXETH) is minted based on how much ETH is deposited into the Ethereum bridge. However, in this case, the attacker inputted malicious data in the function call instead.

Secondly, The deposit logic of the QBridge contract has to then invoke IQBridgeHandler(handler).deposit(), which verifies the data in the QBridge.deposit() function call. The IQBridgeHandler(handler).deposit() uses 3 statements to ensure the correctness of the data parameter.

Thirdly, the tokenAddress entered by the attacker in Line 127 was address(0). This address did not fail any of the 3 statements. In line 128: address(0) is whitelisted and bypassed. As the amount is 190 ETH (bigger than minAmounts), Line 134 is also bypassed. Since address(0) was an externally owned address (EOA),  the low-level call from safeTransferFrom() was returned successfully.

Thus, despite depositing 0 ETH, the attacker was successfully able to invoke the deposit() function using the malicious data. One of the root causes of the vulnerability in the IQBridgeHandler(handler).deposit was the fact that tokenAddress.safeTransferFrom() — code that was exploited — did not revert when the tokenAdress is 0.

Additionally, CertiK recognized two other smart contract code logic errors — depositing ETH and ERC20 tokens triggers the same deposit event and the safeTransferFrom() does not revert when the token EOA, as witnessed in Line 135

Post the hack Qubit Finance tweeted that they will be creating a website for its users. This website will let the users “search their losses related to the exploit”. The users will have to connect their wallets to get the records of their holdings being stolen, for presentation to the police. Qubit Finance has also offered a $2 million bug bounty to the attacker and promised no persecution. The Qubit Finance team is cooperating with their security and network partners including Binance. Further, the team is taking active measures to track the attacker and monitor the affected assets. The Qubit Finance team has also disabled a few features such as supply, borrow, repay, bridge, and repay bridge redemption until further notice, though claiming feature is still available.

Merkle Science has blacklisted the wallet addresses involved in the Qubit Finance attack

Merkle Science’s on-chain analysis

According to Merkle Science’s analysis, on January 27, 2022, the attacker exploited a vulnerability on Qubit smart contract to steal tokens amounting to  $77.14 million. The attacker stole 16 tokens using the address: 0xd01ae1a708614948b2b5e0b7ab5be6afa01325c7.

Exploiting the vulnerability on the smart contract, the attacker minted 216,960.20 amount of  Qubit xETH (qXETH). The attacker then used PancakeSwap — a decentralized exchange — to swap the stolen tokens into BNB worth more than $77. 14 million.

Using the Qubit Finance cross bridge, the attacker minted an unlimited amount of xETH to borrow on BSC. Then using the cross-bridge platform the attacker converted the minted xETH to ETH, burning more xETH in the process. Then the attacker also transferred 199 xETH to the Ethereum Mainnet — Mainnet is the primary public Ethereum production blockchain, where actual-value transactions occur on the distributed ledger. As of now, the ETH funds have not moved out of the attacker's wallet