Did anyone watch the movie’s trailer?
The Qubit Finance incident is still among the greatest breaches in the history of smart contracts. Over 80 Million dollars were stolen in less than 90 min, and the attack is still ranked in the top twenty of the rekt.news leaderboard.
The movie begins on the night of January 27th 2022. Hackers exploited a bug in Qubit Finance’s smart contract (etherscan), which enabled them to fabricate deposits into the Ethereum side of QBridge. In less than an hour, the attackers withdrew crypto funds worth of $80M from the BSC side.
In the days that followed, the hackers extracted the funds from the attacking address and disappeared. Detailed analysis reports of the attack were published by Halborn, Certik and news about the incident were published in Coindesk, Cointelegraph and more. At that time, it was ranked in the top ten of rekt.news leaderboard.
We spent the last few days taking another look at this incident, and noticed an interesting detail, which, as far as we can tell, went unnoticed in the detailed reports and the news articles published in the days after the attack. It remained hidden until this day.
The bug was introduced on December 13th, 2021 (etherscan) when the token contract address in QBridgeHandler’s “resourceIDToTokenContractAddress” mapping was set to 0. Users were now supposed to use the “depositETH” function to deposit Ether, instead of the “deposit” function to deposit WETH.
And now, for the hidden element of the story — the trailer. Two days after the bug was introduced, on December 15th, a transaction (etherscan) exhibited the same exact behavior as the attack, emitting a deposit event of 0.000001 Ether to the QBridge though nothing was deposited and safeTransferFrom did not revert on token address 0x0. This is six weeks before the infamous incident, and just two days after the bug was introduced!
“Treat a penny as if it were a fortune”. That “penny” (0.000001 Ether), could have been worth a fortune, had anyone just watched the trailer…
Stay tuned for the next post! Apparently, other horror movies also had trailers.
Oren is a graduate of the Talpiot academic excellence program, and ex-8200 senior leadership. Oren has more than 20 years of experience in the cyber security domain, from R&D to leadership.