fix
spherex Research

Qubit Finance Hack — The Movie Had a Trailer

2 min read ・ Aug 14, 2023 ・by Oren Fine

Did anyone watch the movie’s trailer?


The Qubit Finance incident is still among the greatest breaches in the history of smart contracts. Over 80 Million dollars were stolen in less than 90 min, and the attack is still ranked in the top twenty of the rekt.news leaderboard.

The movie begins on the night of January 27th 2022. Hackers exploited a bug in Qubit Finance’s smart contract (etherscan), which enabled them to fabricate deposits into the Ethereum side of QBridge. In less than an hour, the attackers withdrew crypto funds worth of $80M from the BSC side.


The Movie (Taken from tx.eth.samczun.com)

In the days that followed, the hackers extracted the funds from the attacking address and disappeared. Detailed analysis reports of the attack were published by Halborn, Certik and news about the incident were published in Coindesk, Cointelegraph and more. At that time, it was ranked in the top ten of rekt.news leaderboard.

We spent the last few days taking another look at this incident, and noticed an interesting detail, which, as far as we can tell, went unnoticed in the detailed reports and the news articles published in the days after the attack. It remained hidden until this day.

The bug was introduced on December 13th, 2021 (etherscan) when the token contract address in QBridgeHandler’s “resourceIDToTokenContractAddress” mapping was set to 0. Users were now supposed to use the “depositETH” function to deposit Ether, instead of the “deposit” function to deposit WETH.

And now, for the hidden element of the story — the trailer. Two days after the bug was introduced, on December 15th, a transaction (etherscan) exhibited the same exact behavior as the attack, emitting a deposit event of 0.000001 Ether to the QBridge though nothing was deposited and safeTransferFrom did not revert on token address 0x0. This is six weeks before the infamous incident, and just two days after the bug was introduced!

The Trailer (Taken from tx.eth.samczun.com)

Conclusion

“Treat a penny as if it were a fortune”. That “penny” (0.000001 Ether), could have been worth a fortune, had anyone just watched the trailer…

Stay tuned for the next post! Apparently, other horror movies also had trailers.

About the author

Oren Fine
Co-Founder and CTO at spherex technologies
Follow

Oren is a graduate of the Talpiot academic excellence program, and ex-8200 senior leadership. Oren has more than 20 years of experience in the cyber security domain, from R&D to leadership.

Tags
spherex Research
Continue your reading with these value-packed posts
spherex Blog
The Silent Threat: How to Protect Your Assets from Compromised Keys in Web3
Safeguarding your keys is crucial - not just for your personal security, but for the integrity of your entire project.
Read more
next icon
3 min read ・ Nov 20, 2024 ・by Shira Shalev
spherex Blog
KY(ha)C(ker) - Stolen KYC Fraud make security tools almost ineffective
Hackers are now switching from anonymization tools, such as TornadoCash, to fabricated or stolen KYC accounts which puts security at risk.
Read more
next icon
1 min read ・ Nov 05, 2024 ・by Maor Ovadia
spherex Blog
Trick Or Treat - Fooling Etherscan’s Proxy Detection
Hybrid Etherscan setup that could potentially lead the Etherscan displaying one thing while the proxy actually points something else.
Read more
next icon
3 min read ・ Oct 31, 2024 ・by Eyal Fine

Get Bulletproof Protection From Web3 Zero-Day Attacks

Image