Skip to content
Est. MMXXVIVol. VI · № 273RSS
Blockchain Breaches

An archive of cryptocurrency security incidents — hacks, exploits, bridge failures and rug pulls, documented with on-chain evidence.

Dossier № 076Bridge Exploit

Qubit QBridge Infinite Mint

An attacker tricked Qubit's BSC bridge into minting 77,162 qXETH ($185M nominal) without depositing any ETH, borrowing 206,809 BNB ($80M).

Date
Victim
Qubit Finance
Chain(s)
BNB ChainEthereum
Status
Funds Stolen

On January 27, 2022, the BNB Chain lending protocol Qubit Finance lost 206,809 BNB (~$80 million) in a single exploit. The attacker minted 77,162 qXETH — a bridged representation of Ethereum, nominally worth $185M — without ever depositing any ETH on the Ethereum side of the bridge, and used the fake collateral to borrow everything available on Qubit.

What happened

Qubit's QBridge connected Ethereum and BNB Chain. The intended flow on the Ethereum side:

  1. User deposits ETH (or another asset) into the bridge contract.
  2. The bridge emits an event.
  3. A relayer detects the event and mints the corresponding qXETH on BNB Chain.

The QBridge contract on Ethereum had a deposit() function that handled real ETH. It also had a separate depositETH() path, which should only have been callable as part of an actual ETH transfer. The bug: depositETH() was implemented in a way that could be triggered without an actual transfer of ETH — the relayer side processed the emitted event as legitimate and minted qXETH on BSC.

Steps:

  1. The attacker called the vulnerable function path on the Ethereum bridge with zero ETH transferred.
  2. The bridge emitted a deposit event for the attacker's address.
  3. The cross-chain relayer minted 77,162 qXETH to the attacker on BSC.
  4. The attacker used qXETH as collateral in Qubit's lending markets and borrowed every asset Qubit had to lend — primarily 206,809 BNB ($80M), but also BTC-B, stablecoins, CAKE, BUNNY and MDX.
  5. Walked away. The Ethereum bridge side held essentially no actual ETH backing the inflated qXETH supply.

Aftermath

  • Qubit paused the protocol within hours and offered a $250,000 bounty for return of funds (under its Immunefi bug-bounty program), which went unanswered.
  • The attacker laundered through Tornado Cash; no recovery.
  • Qubit Finance never meaningfully recovered as a protocol.

Why it matters

Qubit is the textbook bridge "fake deposit" exploit. Every cross-chain bridge has the same structural risk: the destination chain mints a representation based on a claim about the source chain's state, and anything that lets an attacker fake that claim breaks the bridge entirely. The class of bug has since recurred in different forms at Nomad, Wormhole, BNB Bridge and others — each through a different specific mechanism, all reading the same way on-chain: "X tokens minted on the destination, zero locked on the source."

Sources & on-chain evidence

  1. [01]coindesk.comhttps://www.coindesk.com/markets/2022/01/28/defi-protocol-qubit-finance-exploited-for-80m
  2. [02]certik.medium.comhttps://certik.medium.com/qubit-bridge-collapse-exploited-to-the-tune-of-80-million-a7ab9068e1a0
  3. [03]bankinfosecurity.comhttps://www.bankinfosecurity.com/defi-platform-qubit-finance-hacked-for-80-million-a-18406

Related filings