Qubit, a decentralized finance (DeFi) platform, has publicly offered $2,000,000 to a hacker who stole $80 million worth of cryptocurrency from it last week.
Late on the evening of 27 January, according to an incident report published by Qubit Finance, a hacker exploited a vulnerability to steal over 206,000 Binance coins from the company's QBridge protocol.
In a tweet, blockchain security firm PeckShield said that QBridge was hacked to mint a "huge amount of xETH collateral and drain the pool funds about $80M."
As security firm CertiK explains, the attacker exploited "a logical error in Qubit Finance's code that allowed them to input malicious data and withdraw tokens on Binance Smart Chain when none were deposited on Ethereum."
Qubit, meanwhile, said it was tracking the exploiter and monitoring affected assets. And although it did not know the true identity of the hacker, they had sent their attacker a message offering to pay a reward in the hope of the safe return of the funds.
Initially Qubit pointed to its bug bounty program, which offers a maximum $250,000 reward to discoverers of the most critical vulnerabilities.
This is the Qubit Finance team.
We propose you to negotiate directly with us before taking any further action.
The exploit and loss of funds have a profound effect on thousands of real people.
If the maximum bounty offer is not what you are looking for, we are open to have a conversation. Let's figure out a solution.
Qubit Finance Team
However, perhaps realising that wasn't going to be enough to coax the attacker into handing over the funds, Qubit later upped its offer to $1 million, and then to $2 million with the promise that the attacker would not be prosecuted.
We have secured the funds to be able to pay a bounty of $2,000,000 in line with the historically high Polygon bounty and our total limit, without prosecution. We continue to work with security firms throughout the ecosystem and independently to resolve this exploit. The entire Qubit community is hopeful you will do the right thing and accept the offer.
To be honest, if I were criminally minded and had stolen $80 million from Qubit, I might be very happy holding out, and seeing if the company could offer me a reward significantly closer to $80 million...
News of the hack is, of course, potentially catastrophic for Qubit and very worrying for its users. Once again, a cryptocurrency DeFi platform has found its security wanting, and left to beg hackers for the return of stolen funds. The promise to pay attackers a "bug bounty" reward to its seemingly criminal attackers would itself appear to be legally questionable in some parts of the world.
tags
Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s.
View all postsNovember 14, 2024
September 06, 2024