Qubit Protocol Exploit Post-Mortem (January 2022)
Incident Summary
The Qubit protocol experienced a security breach affecting its QBridge deposit function on January 27, 2022.
Timeline
• 09:18:55 PM UTC: Attacker received 0.8887725 ETH via Tornado Cash
• 09:34:01 PM - 09:50:41 PM UTC: 16 deposit transactions sent to QBridge on Ethereum
• 09:36:32 PM - 09:51:02 PM UTC: 16 voteProposal transactions relayed to BSC
• Result: xETH tokens minted and used as collateral to withdraw protocol liquidity
Technical Root Cause
The vulnerability stemmed from legacy code that remained active post-upgrade:
> "tokenAddress is 0, so safeTransferFrom didn't fail and the deposit function ended normally"
When the
depositETH function was introduced, the older deposit function should have been retired. However, it persisted with tokenAddress pointing to the zero address instead of WETH. This allowed the safeTransferFrom call to execute without properly validating token transfers.Attack Vector
The attacker exploited the vulnerable deposit function by:
1. Calling QBridge's deposit function on Ethereum with a zero-address token reference
2. Bypassing legitimate token transfer validation
3. Triggering minting of xETH tokens across the bridge to BSC
4. Using minted tokens as collateral to drain protocol liquidity
Response Actions
• Disabled Supply, Redeem, Borrow, Repay, and Bridge functions
• Maintained Claiming functionality
• Engaged with security partners and Binance
• Offered maximum bounty to the attacker
Financial Impact
~$80 million total drain from QBridge collateral.