Quantum-resistant Layer 1 blockchain QANplatform has suffered a malicious exploit to its bridge platform, resulting in the theft of $2 million worth of tokens, according to data from Etherscan.
“The bridge smart contract that is offline was hacked and the attacker managed to withdraw tokens,” QANplatform said, confirming the hack.
Data from Etherscan shows two bulk withdrawals from the project’s Ethereum cross-chain bridge took place between 08:17 AM and 09. 40 AM UTC on Oct. 11. These two withdrawals totaled roughly 1.46 billion QANX tokens — worth about $1 million at the time of the attack. One of the addresses involved in the attack has also been linked to other phishing attacks. The hacker also stole another $1 million worth of QANX tokens from the BNB cross-chain bridge, data from BSCscan shows. This happened around the same time as the first withdrawal from the Ethereum side of the bridge.
Bridge security has become a major issue in the crypto industry following several major attacks. For example, earlier in October, a hacker stole $100 million from the BNB Chain cross-chain bridge.
Today’s hack may also be related to the profanity address vulnerability that has also plagued other projects. This particular vulnerability has to do with vanity addresses — special custom addresses created by users. Security researchers previously identified a weakness associated with these addresses, through which their private keys can be “brute-forced.”
According to blockchain security outfit BlockSec, the QANplatform’s deployer address is vulnerable to the bug. As such, it is possible that the attacker may have been able to uncover the private keys and used them to withdraw funds from the bridge.
The QANplatform hacker has already begun to sell the tokens on Uniswap for ether (ETH). As of the time of publishing, the attacker has sold approximately 30% of the stolen funds in exchange for 230 ETH, worth $295,000. This selloff and the news of the hack have seen the QANX token take a massive tumble, dropping 94% from $0.012 to $0.0007 in less than an hour.
The attacker may now face some difficulties in disposing of the remainder of the stolen funds. QANplatform has withdrawn liquidity for its token from both Uniswap and Pancakeswap. “The trading, deposits and withdrawals on CEXes has been paused,” the team added. (CEXes, in this context, refer to centralized exchanges.) QANX is listed on centralized exchanges such as BitMart, MEXC Global and Gate.io. The hacker has also begun to launder the remaining funds via the US Treasury-sanctioned Tornado Cash.
QANplatform also urged users not to conduct any transactions with the QANX token, and noted that it is investigating the incident. “Most likely we are going to do a snapshot before the hack and airdrop tokens according to it,” the project stated.
Update: This article has been updated to state that $2 million worth of tokens were stolen in the hack and that the funds are being laundered via Tornado Cash.
© 2023 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.