An exploit in decentralized finance (DeFi) protocol Qubit Finance enabled one hacker to walk away with $80 million in stolen crypto yesterday.
The specific smart contract flaw that enabled the attack was located in X-Bridge, a cross-chain bridge that facilitates easy token swaps between Ethereum and Binance Smart Chain.
This flaw enabled the attacker to input malicious data without depositing Ethereum and receive $185 million worth in Qubit xETH (an asset that represents bridged Ethereum on the Binance Smart Chain) in return.
The attacker then used this money as collateral to "borrow" about $80 million worth of crypto from various lending pools.
The full breakdown of purloined assets amounts to 15,688 wETH ($37.6 million), 767 BTC-B ($28.5 million), approximately $9.5 million in stablecoins, and $5 million in CAKE, BUNNY, and MDX tokens, according to audit firm CertiK.
Since the attacker never converted their qXETH "collateral," the total cost of the theft to Qubit Finance is $80 million.
Qubit offers crypto bounty
Qubit Finance published a blog post today with a play-by-play breakdown of the attack in its entirety.
On Qubit's Twitter page, the team also tweeted that it is "glad to have a conversation with [the attacker]." It attached a screenshot message saying that Qubit is "prepared to offer [the attacker] the maximum bounty for the revealed exploit" in order to "minimize the effect on the community."
Blockchain security analysts Peckshield tweeted on Friday morning that it had audited Qubit Finance's lending protocol and will provide further details soon.
While this attack has been the largest this year, it wasn't the first cross-chain hack in 2022.
Last week, a white-hat hacker stole $1.73 million from Multichain before returning $900,000 and pocketing the rest as a bounty.
As different blockchains become popular and cross-chain activity grows alongside it, projects like Qubit and Multichain are expected to become key targets for hackers.
Stay on top of crypto news, get daily updates in your inbox.