Mao Nelson* could not go back to sleep on the night of January 28, 2022, after he was informed by his friend that the 695 Ethers worth about $2.68 million which he invested last October, was stolen when hackers attacked Qubit Finance’s cross-chain bridge protocol that enables the movement of funds between Ethereum and Binance Smart Chains (BSC).
A programming error in Qubit’s X-Bridge’s smart contract was exploited by hackers who input malicious data and withdrew tokens on the BSC side of the bridge without depositing Ethereum. In the wake of the attack, $90 million worth of cryptocurrency was stolen and 5,616 investors lost their funds.
“I was shocked, disappointed and exhausted,” said Nelson, who lives in China. “I cannot sleep well and often need pills to get some sleep. I am unable to focus on my job. It is a tragedy I keep thinking about. I have lost almost all of my life savings and I feel like I lost the world.”
Attacks on DeFi protocols have been on the rise since 2012. In 2021, $4.25 billion was stolen from DeFi protocols including cryptocurrency exchanges and cross-chain bridges. It’s a startling increase from the 2020 figure of $1.49 billion. A succession of attacks one month into 2022, has resulted in the theft of almost half a billion dollars equivalence of cryptocurrency and the fourth largest heist in history.
Attracted by the huge funds DeFi protocols sit on, hackers scan smart contracts on public repositories looking for flaws that could be exploited. Arweave News had reported how human negligence and open-source ideology contribute to the vulnerability of protocols to attacks. Qubit admitted following the report, for the first time, that it “failed in its process”.
“The desire to launch and scale and the oft frenzy of being the fastest-to-the-market, disincentivise thorough audit by the promoters (of DeFi protocols). Sadly, exploiters continue to take advantage,” said Churchill Kalu, a blockchain legal analyst and principal partner at Yellow Silk Attorneys.
Mound Inc., Qubit’s parent company, had a good run in the DeFi space with PancakeBunny, a yield aggregator built on the BSC which facilitates interest earnings on cryptocurrency assets. It was launched in November 2020 and by its fifth month, PancakeBunny had $2billion in Total Value Locked, over 30,000 in Daily Active Users and was the leading yield aggregator on the chain.
Impressed by PancakeBunny’s scorecard, including being top three finalist projects in the first edition of Most Valuable Builder, a programme aimed at growing the BSC ecosystem, Binance Lab, the innovation incubator of digital currency exchange, Binance, invested $1.6 million. Wei Zhou, the head of Binance Lab at the time, said the firm decided to invest because of “our high rating of the Mound team’s execution and product expertise”.
But a flash loan attack where the smart contract of a DeFi platform is misused by attackers to borrow funds that do not require collateral and proceeding to manipulate the price of a cryptocurrency asset and immediately resell on another, hit PancakeBunny last May, resulting in a $45million lose and Bunny, its token, plummeting in price to $6.17 from $146.
PancakeBunny was yet to recover from the exploit when PolyBunny, Mound’s Polygon blockchain fork, suffered a flash loan attack in July, about a month after it was launched, losing $2.4 million and tumbling the price of its token below $2 from $10. By the next month in August, it created Qubit but it was hacked five months later. Twenty-five days later, Qubit was repackaged and relaunched without compensating investors. With victims of both PancakeBunny and PolyBunny – and now Qubit – yet to be compensated, Mound has a growing list of investors begging to be requited.
Observers say that Mound is too hasty in creating new projects after attacks and has not shown to learn from its failures.
“Everyone, including the founders, is desperate to be a part of this gold rush. Unfortunately, no lesson has been learnt from the website hacks and attacks that have crippled various organisations as well as governments,” Ritesh Bhatia, Cybercrime Investigator and founder, V4WEB Cybersecurity, told Arweave News.
Mound’s proclivity to rush into new projects after every attack highlights the rough and lawless operation of many protocols operating in the DeFi space where external regulations are abhorred and booming transactions are more important than having a secured smart contract.
The Binance backing that could not save
Binance Lab’s statement in March 2021 endorsing Mound, gave some credibility to the company. For cryptocurrency investors, it was all the assurance they needed to lock their assets in PancakeBunny’s vaults to be supplied to Qubit. Some victims of the Qubit exploit told Arweave News that Binance should have helped to prevent the hacker from moving the stolen assets out of the chain.
“If not for Binance’s endorsement, I will definitely not put so much Bitcoin on this protocol,” said Steve, a Chinese investor who lost 30 Bitcoins worth about $1.2 million. “Binance can get chain validators to blacklist the address, so no validator or node would approve any transfer from that address, but Binance did nothing while the stolen fund was sitting there for 48 golden hours.”
While it was indeed possible for Binance to blacklist the attacker’s wallet address, it risked being criticised by staunch supporters of decentralisation in finance as being centralised. For a brand operating in a space where keeping out regulatory third parties is a catchphrase, a tagline that reads ‘centralised’ will be bad for business.
“If centralised means better protection for users, why not?” asked Steve. “With great power comes great responsibility. In my opinion, it’s actually more beneficial for Binance or BSC to protect their users. There will be more people using BSC if they feel safe. If people really look for decentralisation or complete freedom, they can go for Ethereum chain.”
Binance and Binance Lab did not respond to a detailed list of questions emailed to them.
“By their very concept, DeFis are self-implementing with authority, accountability and responsibility de-concentrated, devolved and delegated to the ledger keepers-the trust element being that the codes are impregnable,” said Kalu, the blockchain legal analyst, adding that hacks will continue “until a negotiated compromise is reached to implement a universal standard on interoperability of these technologies which will allow for peer audits.”
The extent of alleged culpability of Binance and Binance Lab for how thousands of people subscribed to Mound’s flawed projects and why the hacker was able to move stolen funds out of BSC may never be known, but the episode of Qubit’s hack as well as cyber-attacks suffered by projects in the DeFi ecosystem brings to the fore questions about whether protocols get rapid support from chains after an exploit.
“While hacks are foreseeable, all hacks can never be foreseeable,”Kalu said, noting that Binance should have taken care before promoting and lending support to projects. “However, we should always assume that there are people who would readily put technologies to ignoble uses and try the best we can to prevent them,” he said.
A rug pull?
A feeling of devastation spread rapidly across online platforms of both Qubit and PancakeBunny global users in the aftermath of the attack on Qubit Finance.
“How should I live now?” a member of the Qubit Global Community on Telegram wrote after the attack. “Give me back my money please operator. You hacked yourself; it is all planned. I want to commit suicide. I want to stop living. Please save me. I’ll go up the bridge to jump off tonight.”
No moderator responded to the user’s apparent threat to harm self. Arweave News could not confirm whether the individual was safe afterwards.
In days that followed the attack, Qubit appealed to the hackers’ emotions and raised its bug bounty from $250,000 to $2 million. But the hacker did not yield. The hackers later moved some of the assets to Tornado Cash in order to hide their digital trail.
“My life has changed. I cannot tell my family and friends… A lot of people have killed themselves. No more DeFi, I prefer centralised,” said an investor in Thailand who declined to give his name.
He lost about $200,000 and believes like many investors, that the hack was done by insiders at Qubit because it’s the third exploit Mound has suffered and protocol’s admission of failure.
“I am sure it is an inside job or at least someone within the developer’s team conniving with hackers somewhere,” said an investor in Mainland China who lost $360,000 and asked to be identified only as Farmer. For another investor in Italy, who lost $60,000 and asked for anonymity, “the market timing, the unaudited function and the new bridge just deployed” suggest it’s an inside job.
Qubit and PancakeBunny did not respond to detailed lists of questions sent to them. Mound Inc. could not be reached for comments.
Arweave News learned that some investors plan to take legal actions against Mound Inc., PancakeBunny and Qubit. Some victims have reported to law enforcement agencies in countries, such as Korea, Singapore, the United States of America, and China.
Hammered to silence
Moderators of Qubit’s and PancakeBunny’s community platforms on Telegram and Discord that have become the only means for victims to air grievances, get clarifications and demand accountability and transparency since managers of the protocols became unreachable after the exploit, began expelling victims who queried the handling of issues that arose after the hack such as alleged extortion through interest on loans and compensation plans.
The moderators who are still in communication with managers of the protocols, refused to respond to requests for comment. They subsequently blocked Arweave News reporter from sending further direct messages to them.
New project amidst unresolved controversies
Less than a month after it suffered an exploit, Mound has begun promoting new features on its PancakeBunny project, urging potential users to “keep calm and hop on”. It has also relaunched the Qubit market despite its lacklustre compensation plan that does little to assure victims. Victims say the new project is another attempt to fleece potential investors.
“While investors should at this stage, become wary of Mound’s projects over an assumption that they lack a culture of thorough audits, Mound and other promoters should also be leniently criticised when these unfortunate incidents occur. Sometimes, failure is the price of innovation,” said Kalu.
But observers and victims say that the growth of decentralised finance could be impeded if factors that predispose protocols to being attacked are not addressed and the activities of operators of exploited projects scrutinised to determine their culpability.
“The truth is that technologies are not bad in themselves, however, bad human actors compromise technologies for their benefits,” Kalu said.
* Name has been changed due to the source not wanting to be identified by someone they know.