On the evening of January 27th, 2022, an unknown hacker successfully exploited a vulnerability in Qubit Finance’s Ethereum-BSC bridge. This exploit allowed them to amass 77,162 qXETH tokens.
The malicious data inputted by the attacker granted them access to funds that were not deposited on ETH but on BSC – allowing for their withdrawal from Qubit’s platform with 77162 qXETH tokens. The hacker then used this as collateral against loans within the system before swapping it all out for 200k BNB (~$80M).
The graph below shows how 7500 ETH was transferred from the hackers address to Tornado while 22 212 588 852 ETH remains at that same address today. It also highlights two bridges (Synapse and Celer) through which funds were sent from BSC to facilitate the flipping process.
To retrieve the stolen funds, Qbit Finance offered negotiations to exploiter.