fix
spherex Research

Qubit Finance Hack — The Movie Had a Trailer

2 min read ・ Aug 14, 2023 ・by Oren Fine

Did anyone watch the movie’s trailer?


The Qubit Finance incident is still among the greatest breaches in the history of smart contracts. Over 80 Million dollars were stolen in less than 90 min, and the attack is still ranked in the top twenty of the rekt.news leaderboard.

The movie begins on the night of January 27th 2022. Hackers exploited a bug in Qubit Finance’s smart contract (etherscan), which enabled them to fabricate deposits into the Ethereum side of QBridge. In less than an hour, the attackers withdrew crypto funds worth of $80M from the BSC side.


The Movie (Taken from tx.eth.samczun.com)

In the days that followed, the hackers extracted the funds from the attacking address and disappeared. Detailed analysis reports of the attack were published by Halborn, Certik and news about the incident were published in Coindesk, Cointelegraph and more. At that time, it was ranked in the top ten of rekt.news leaderboard.

We spent the last few days taking another look at this incident, and noticed an interesting detail, which, as far as we can tell, went unnoticed in the detailed reports and the news articles published in the days after the attack. It remained hidden until this day.

The bug was introduced on December 13th, 2021 (etherscan) when the token contract address in QBridgeHandler’s “resourceIDToTokenContractAddress” mapping was set to 0. Users were now supposed to use the “depositETH” function to deposit Ether, instead of the “deposit” function to deposit WETH.

And now, for the hidden element of the story — the trailer. Two days after the bug was introduced, on December 15th, a transaction (etherscan) exhibited the same exact behavior as the attack, emitting a deposit event of 0.000001 Ether to the QBridge though nothing was deposited and safeTransferFrom did not revert on token address 0x0. This is six weeks before the infamous incident, and just two days after the bug was introduced!

The Trailer (Taken from tx.eth.samczun.com)

Conclusion

“Treat a penny as if it were a fortune”. That “penny” (0.000001 Ether), could have been worth a fortune, had anyone just watched the trailer…

Stay tuned for the next post! Apparently, other horror movies also had trailers.

About the author

Oren Fine
Co-Founder and CTO @ SphereX
Follow

Oren is a graduate of the Talpiot academic excellence program, and ex-8200 senior leadership. Oren has more than 20 years of experience in the cyber security domain, from R&D to leadership.

Tags
spherex Research
Continue your reading with these value-packed posts
spherex Blog
Working with Slither for Fun, for Profit, or for Useful Information
Slither not only detects vulnerabilities but also visualizes contract structures, helping you ensure security and efficiency.
Read more
next icon
3 min read ・ Sep 30, 2024 ・by Shira Shalev
spherex Blog
DORA: The New Guardian of Digital Finance
DORA mandates cybersecurity measures, including risk management and incident reporting, for smart contract owners, ensuring compliance.
Read more
next icon
4 min read ・ Sep 05, 2024 ・by Eilon Morag
spherex Blog
MiCA: The Regulatory Wave Reshaping Crypto's Future
MiCA is a comprehensive EU regulation that mandates compliance in crypto, affecting smart contracts and blockchain-based operations
Read more
next icon
4 min read ・ Sep 05, 2024 ・by Eilon Morag

Get Bulletproof Protection From Web3 Zero-Day Attacks

Image