The cross-chain bridge of DeFi protocol Qubit Finance, called X-Bridge, has been exploited and lost $80 million in the process.
X-Bridge facilitates swapping tokens from Ethereum to Binance Smart Chain. In other words, when someone deposits an ERC-20 token to the bridge, they receive a BEP-20 token in return, which can then be used on Binance Smart Chain.
There was a "logical error" in X-Bridge's smart contract code that led to the exploit, according to blockchain security firm CertiK. The error in the code allowed the attacker to withdraw tokens on Binance Smart Chain when none was deposited on Ethereum.
The attacker ended up netting 77,162 qXETH ($185 million), which they then used as collateral and borrowed other asserts from lending pools worth $80 million, according to CertiK.
These assets are 15,688 wETH ($37.6 million), 767 BTC-B ($28.5 million), around $9.5 million worth of various stablecoins, and about $5 million worth of CAKE, BUNNY, and MDX tokens.
While the attacker exploited X-Bridge for $185 million, they did not directly convert the 77,162 qXETH to ETH, thus they ended up profiting only $80 million through the above tokens, CertiK told The Block.
"This is by far the largest exploit of 2022 to date," the firm added. Last year, DeFi projects lost $1.3 billion in hacks, according to CertiK.
Qubit Finance said it has contacted the exploiter to offer the maximum bounty. Meanwhile, it has disabled certain functions of X-Bridge until further notice, while claiming of funds is available.
© 2023 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.