With the rise of decentralized finance (DeFi) and the multiplication of the chains that host it, many bridge protocols have emerged. Although they have become indispensable to the ecosystem, they present systemic risks due to their numerous interconnections.
X-Bridge in turmoil: $80 million gone
Qubit is a protocol that belongs to the decentralized finance ecosystem. It offers various services, including a lending service and a bridge called “X-Bridge”.
In practice, X-Bridge allows to send funds from Ethereum (ETH) to the Binance Smart Chain (BSC) and vice versa. This mechanism takes place in 2 steps:
- Users deposit ERC-20 on the contract hosted on Ethereum ;
- The protocol issues and sends the equivalent in BEP-20 on the BSC.
On Friday, January 28, the protocol teams warned the community that an attack had been carried out against the X-Bridge.
According to initial reports, the attacker managed to take advantage of a loophole in the contract to create an unlimited amount of qXETH tokens, namely the representation of the ETH on the bridge.
What happened?
The day after the attack, the company specialized in blockchain analysis and smart contract auditing, Certik, published a report going back over the attack.
Indeed, we learn that in total the attacker managed to steal the equivalent of 17,162 qXETH, or about $185 million. These ETH were then used to borrow the equivalent of $80 million in cryptocurrencies.
In actuality, the attacker took advantage of a lack of verification on the bridge’s deposit function:
- The attacker called the deposit() function on the QBridge contract, without attaching any ETH to the transaction;
- The data passed to the transaction should have expressed the amount in ETH deposited. However, instead, the attacker inserted malicious data;
- The protocol issued the equivalent amount of ETH on the BSC side.
The attacker was thus able to siphon off a large part of the protocol’s liquidity.
Trading and clearing
In its post-mortem published the day after the attack, Qubit explains that it tried to get in touch with the attacker. Indeed, the protocol offered him a generous reward if he would return the funds.
Meanwhile, the protocol has paused most of its functionality. However, no announcement has yet been made regarding a refund for the injured users or a compensation plan.
Fortunately, the attack on this protocol did not lead to any systemic repercussions on the Ethereum and BSC blockchains. However, this risk is indeed present, as Vitalik Buterin recently pointed out in an article dedicated to cross-chain bridges.