Qubit Finance, a decentralised finance or DeFi protocol and cross-chain bridge which enables cross chain movement of cryptocurrency assets between blockchains, that was attacked by hackers in January, has admitted that it failed in its operations which lead to the weakness of the security of its smart contract. This fault lead to a heist of $80 million worth of cryptocurrency.
Qubit Finance admitted to the failure, for the first time, directly following a report by Arweave News. The report investigated how human factors contribute to the failure of DeFi protocols.
As of the time of writing, five DeFi protocols have been attacked in one month into 2022 and about half a billion worth of cryptocurrency stolen. Cyber-security experts told Arweave News that many DeFi protocols do not take security seriously.
“Regarding the matter of security, we do acknowledge a failure in the process. Moving forward, we will continue to carry out code auditing and internal testing as part of the review and test process,” Qubit wrote on Twitter.
“We will transparently disclose the developed code to white hackers before launching in order to expedite the bug bounty process. Bug bounty programs will be active at all times and not just as part of code review.”
Attackers exploited an error in Qubit’s code to input malicious data and withdrew tokens on the Binance Smart Chain side of the bridge without depositing any on the Ethereum side, a post-attack report by Certik stated.
Theori, a cyber-security firm that audited Qubit’s smart contract, a month before the attack, in December 2021, had said the code was modified by Qubit after it completed its task – a move which created the flaw in security and enabled the subsequent attack. Qubit had previously denied that the code related to the attack was audited by Theori.
Following Qubit’s admission of failure, investors and victims are calling for the prosecution of the protocol’s managers and its parent company, Mound Inc. One of the investors who lost $200,000 and asked to not be named, said Qubit’s tweets were upsetting, and are of no importance.
“After the hack happened, Qubit told us they called Binance Smart Chain (BSC) but the hacker could still move the money out of BSC (no wallet lock). They told us they contacted the police but made details of the report secret. They told us they had contacted Tornado but the hackers could still cash out. They said they would help victims but they threw us out of community platforms,” the victim said.