It’s the largest crypto hack of 2022.
In just 20 minutes, hackers stole approximately $80 million in cryptocurrency yesterday afternoon by exploiting a bug on the Qubit Finance platform that lets users convert one form of digital currency into another. This morning, the company asked the hackers to “negotiate directly with us before taking any further action,” saying they were “open to hav[ing] a conversation” if the hackers want more than Qubit’s standing offer of $250,000 for reports about security flaws, according to a Friday tweet.
The question now is whether the “exploiters” will take Qubit’s offer.
The hackers exploited a tiny bug
Qubit is a “decentralized finance” (DeFi) platform, meaning it offers cryptocurrency users financial services like trading, lending, and borrowing. The attack on Qubit took advantage of another service: the platform’s “bridge” between the digital ledgers, where two major cryptocurrencies are stored and traded. That bridge allows users to deposit cryptocurrency on the Etherium network and withdraw cryptocurrency of the same value on the Binance Smart Chain. The hackers behind this exploit took advantage of an error in Qubit’s code that allowed them to make a withdrawal without making any deposits.
After the theft, all Qubit could do was post a polite note — addressed “Dear Exploiter” — to Twitter and hope that whoever absconded with the funds could be convinced to give it back. The problem is that transactions on the platform are governed by self-enforcing digital contracts that can’t be reversed by anyone. Unlike conventional banking, no entity controls the flow of funds on DeFi platforms. That means that when assets are stolen, they’re usually gone for good.
DeFi platforms are prone to theft
What happened to Qubit is far from unusual. Fraud and theft are rampant in the world of decentralized finance, which has grown rapidly in recent years. The number of DeFi transactions increased by more than 900% in 2021 alone. That growth appears to be happening too quickly for security measures to keep up. The same year, thieves stole more than $10 billion in cryptocurrency on DeFi platforms, according to one research firm. That’s more than 70% of all the cryptocurrency stolen that year. But not every theft proves to be a total loss: Last August, a hacker stole $600 million from a different DeFi network and then returned it, claiming to have been keeping the funds safe until the bug that allowed the theft was fixed.
This string of major security breaches hasn’t kept crypto users or investors away from the DeFi ecosystem. For instance, Silicon Valley venture capital firm Andreessen-Horowitz said earlier this month that it had invested $25 million in a DeFi protocol that enables users to take out cryptocurrency loans without having their own crypto to put up as collateral. The rapid pace of innovation in the DeFi sector is “attracting large amounts of capital to projects that are not always robust or well-tested,” according to Tom Robinson, who co-founded a company that monitors and prevents illicit activity in the crypto industry. “Criminal actors have seen the opportunity to exploit this.”
Now the biggest question is whether the hackers behind this heist will see any reason to give back what they took. Thousands of Qubit users stand to suffer losses if they don’t, but that risk could be the cost of doing business on a DeFi platform, at least for now.