DeFi Platform Qubit Finance Begs Hacker To Return $80 Million In Stolen Funds

Qubit Finance took to Twitter last night to beg hackers to return more than $80 million in stolen cryptocurrency this week. ZDNet reports: On Thursday, the DeFi platform said their protocol was exploited by a hacker who eventually stole 206,809 binance coins from Qubit's QBridge protocol, worth more than $80 million according to PeckShield. An hour after the first message, the company explained that they were tracking the exploiter and monitoring the stolen cryptocurrency. They noted that they contacted the hacker and offered them the maximum bug bounty in exchange for a return of the funds, something a number of other hacked DeFi platforms have tried to middling success. They shared multiple messages on Twitter that they purportedly sent to the hacker offering a bug bounty of $250,000 and begging for a return of the stolen funds.

"We propose you negotiate directly with us before taking any further action. The exploit and loss of funds have a profound effect on thousands of real people. If the maximum bounty offer is not what you are looking for, we are open to have a conversation. Let's figure out a situation," the Qubit Finance Team wrote. The company later explained in a blog post that their Qubit protocol "was subject to an exploit to our QBridge deposit function." [...] Blockchain security company CertiK released a detailed explanation of how the attack occurred and has been tracking the stolen funds as the hackers move them to different accounts. "For the non-technical readers, essentially what the attacker did is take advantage of a logical error in Qubit Finance's code that allowed them to input malicious data and withdraw tokens on Binance Smart Chain when none were deposited on Ethereum," CertiK explained.

When you beg, you need more punishment.

[iamnotx0r]

Quit buying tulips.

Re:

[h33t l4x0r]

Buying tulips is still safe, just be careful with decentralized tulip staking platforms.

Re:

[gweihir]

What about NFTs of Tulips? Will I have to cry "All my Tulips! Gone!" or are these safe?

may need an soldiers of fortune gun for hire ad to

[Joe_Dragon]

may need an soldiers of fortune gun for hire ad to get anything from this hacker

Re:may need an soldiers of fortune gun for hire ad

[FuegoFuerte]

"In 1972, a crack commando unit was sent to prison by a military court for a crime they didn't commit. These men promptly escaped from a maximum security stockade to the Los Angeles underground. Today, still wanted by the government they survive as soldiers of fortune. If you have a problem, if no one else can help, and if you can find them....maybe you can hire The A-Team."

Note: The A-Team works for cash and gold chains only. The A-Team does not accept or endorse crypto or other fake currencies, but they do pity the fool who has poured money into such dumpster fires.

Re:

[chill]

Someone [ispot.tv] begs to differ.

So the reason some thieves returned funds

[rsilvergun]

After a crypto hack is because the exchanges were able to step in and prevent those thieves from cashing in the currency. The only possibility they'll get any money back is if there's some Central authority that can prevent the hackers from getting to that 80 million.

And why yes, this does mean that most cryptocurrencies are centrally managed now just like our federal reserve and banking system here in America.

The beauty of crypto is that if it works it doesn't work and when it doesn't work it works except it still doesn't work. Did you get all that?

Re:

[h33t l4x0r]

No that's not true, the ones where they got their money back were times when the hacker left some personally identifying info linking to his wallet address. If they don't do that they can spin it, move it to btc and cash out.

There's been several cases where the hacker

[rsilvergun]

Return the funds. If they'd have the hackers wallet address and could drive the identity from it they wouldn't have just waited peacefully for the hacker to give the money back they would have given it to the authorities and let the hacker be arrested.

The hackers in those cases return the money because it was worthless to them and that way they largely escaped prosecution because the people who are hacked wanted to keep things quiet and not involve the authorities if they could help it. Likely to avoid dr

Re:

[h33t l4x0r]

Right, if they can link the wallet to you, you have to give it back. Otherwise you don't. They recovered around 50% of money taken from defi platforms so far but that number seems to be going down.

It's easy enough to launder the funds

[rsilvergun]

even if it's linked to the wallet. Crypto is tailor made for money laundering.

What's happened in several cases is they didn't link the wallet or catch the guy, they knew which coins were stolen and the exchanges got together and did a 51% attack on the chain (using the large amount of crypto they hold for the purposes of being exchanges) to stop the trades going through and/or roll them back. That made the currency worthless (since they couldn't start up a money laundering engine), so they gave it back.

Re:

[h33t l4x0r]

It wasn't an attack, it was a fork. Binance isn't going to do that over $80M

Is there a difference?

[rsilvergun]

I mean a practical one. The point is the exchanges can exert centralized power. How they exert it is irrelevant. But when it happened to Coinbase they just stopped the trades. They didn't call it an attack, they just did it and nobody batted an eye.

Re:

[h33t l4x0r]

Sure but we're talking about defi right now. If they don't know who the guy is, they won't be getting their money back.

Re:

[onepoint]

Because I don't know, and I would love to find a citation.
If you steal bitcoin via a hack, is the crime of bit coin theft punishable in the USA?
I know the hacking yes, but the coins themselves.

Other News: DeFi Platforms Agree on a Standard...

[raftpeople]

...to automate future hacks.

The CEO of one company stated: "We don't necessarily want hacks, but if they are going to happen then we might as well set some standards to reduce work.

This should reduce the amount of work we have to do in response by simplifying our request to the hackers to return funds. This also reduces work for the hackers by eliminating some of the things they do to try to hide their tracks, so we think they will buy into it also, it's a win-win"

Re:

[Fly Swatter]

When they go out of business that would be the best work reduction. And the hackers will move on to the next schemer.

"it's a win-win"

Re:

[gweihir]

Definitely a win-win all around!

Re:

[znrt]

can't be bothered to go to the last detail of it myself, but it genuinely looks like a spectacular flunk in design or implementation that was hilariously easy to exploit.
https://twitter.com/CertiKComm... [twitter.com]

interesting case maybe showing that technicians are being as naive and gullible as investors or consumers, if not more. this is unreal, when this whole shit comes down it is going to hurt.

Re:

[postbigbang]

Tough or easy, it was hacked.

My guess is: Easy. A wallet should have serious guards, even proxy authentication/authenticators that obviate the BTC verification ritual dance, serializing transactions.

But no, then it's not transactional anonymity.

Security could be REALLY easy with its own blockchain. Kinda like Venmo. But that's not what cryptocurrency is about.

Re:Not possible

[AleRunner]

It's not possible to "steal" from a smart contract, because the contract itself defines who owns what and what actions are legitimate.

What they mean is that they and their users signed on to a contract that didn't mean what they thought it meant.

Tough shit.

This so much. These people set out to destroy the existing systems of finance, they complain about the law courts ansd the central banks and are setting out to destroy them. There's a reason they are in there early. They hope that everyone else will be forced onto the same systems as them later and they hope to make a killing taking everything from the people that are forced to buy in later. Not all of that is bad - some people are experimenting and trying to develop better systems. Anyone that's gone in for real money now, though, is fundamentally relying on a pyramid scheme to rip off the rest of the world. If they are telling us that we should later start to run everything with their DeFi (DeregulatedFinance) they it had better be debugged properly. Don't come back asking for our sympathy and charity now.

Re:Not possible

[Lisandro]

Yeah. The "code is law" crowd didn't really thought this one out, it seems.

Re:

[srussia]

"The law is an ass." (code or not)

Re:

[gweihir]

Well, code is hard and most code is bad. But the thing is that most coders do not know their code is bad. Hmm.

Re:

[sudonim2]

I wish I had mod points left to boost this.

Hmmmm....

[Anonymous Coward]

$80,000,000 vs $250,000? Let me think... nah, I'll take the $80,000,000.

When you thought things could not get more stupid

[gweihir]

Something like this happens. I mean, is this kindergarten? Will they complain to the kindergarten teacher next that the hacker was mean to them?

Stupidity should hurt badly

[couchslug]

Stupidity should be punished with maximum suffering lest it be encouraged.

Are the rest of the exchanges the same?

[oldgraybeard]

Do any exchanges have a backup/cash reserve/deep pockets of any kind? Are they all one hack away from gone?

Re:

[turp182]

This was a bug, not a hack. This is why a 3 letter agency isn't mentioned ($80 million isn't chump change).

Yes, they are one hack away from gone. Any protocol suffering an issue this bad where "protocol was exploited" IS the problem, is pretty much doomed and will go away...

Exchange active trade reserves is another topic, the hot wallets used for active transfers to/from accounts.

Huh?

[Richard_at_work]

Why should this affect “thousands of real people”?

Surely the company is insured against loss and can make its users “whole”? And surely they can blacklist individual coins, flagging them up as “stolen” when an attempt is next made to transfer them on the blockchain?

This company isnt stupid enough to act as a financial services company without insurance, right?

Re:Huh?

[sudonim2]

Remember the story of the libertarian asshole who refused to pay to be covered by the town fire department and also refused to allow his property to be incorporated into the town. Then his house caught fire and the fire department sat outside his house and watched as he sobbed while his house burnt to the foundations. This reminds me of that.

Re:

[Junta]

Or the multiple goes of Libertarians going to create 'utopias', and end up appealing to the courts when they get screwed by suing people who wronged them. Suddenly they didn't have a purely capitalist solution and the courts they eschewed looked mighty good.

Re:

[onepoint]

I have listened to the 911 tape of the guy screaming and pleading to save his home, while the fire department is watering the next door neighbors home. While this is not the case I recall, here is a similar citation https://www.nbcnews.com/id/wbn... [nbcnews.com]

I recall your story also, I know it as a sovereign citizen not a libertarian.

I dislike that Libertarians are clump up with Socialist and other groups ( I myself am a firm believer in capitalism, with higher taxes and free healthcare).

Re:

[sudonim2]

Sovereign citizens are a subgenre of the Libertarian/Bircher/Alt-right sphere. The Venn diagram isn't quite a circle, but it's close.

Also, everywhere but in America, Libertarian means center-left. An overly reductive spectrum is Libertarian->Liberal->Social Democrats->Greens->Democratic Socialists->Socialist->Marxist/Leninist/Communist.

Swim with sharks, get eaten by them ...

[140Mandak262Jamuna]

If crypto works as advertised, that is the transactions are totally anonymous, it is no better than stuffing mattresses with cash.

As you try to use crypto to pay for something in the real world, lots of counter parties would have no incentive to protect your identity. Once the wallet and a real world identity is connected all the transactions are public. At that point it is way worse than stuffing mattresses with cash.

This time the the platform got hacked.

If it is truly anonymous, what would stop croo

Re:Swim with sharks, get eaten by them ...

[XXongo]

If crypto works as advertised, that is the transactions are totally anonymous,

But it isn't. Every cryptocurrency transaction is logged forever. Anonymity comes if, and only if, you have the ability to keep your wallet anonymous.

Anonymity isn't a feature of the blockchain: it's something you maintain.

Re:

[ceoyoyo]

If it is truly anonymous, what would stop crooks from holding some hostage and demanding ransom in crypto?

Well, nothing really. Except the crooks have figured out that the whole kidnapping thing is almost as bad as the whole collecting the ransom thing used to be.

People pay more to get their data back, and you can steal that online.

Re:

[sudonim2]

No crypto has ever been anonymous. The entire chain is publicly viewable. A prepaid debit card or a Cash app account you lied about your info on is more anonymous.

Re:

[kmoser]

Anonymous doesn't mean hidden. It just means it can't be traced back to an individual person or entity.

Re: Swim with sharks, get eaten by them ...

[Åke Malmgren]

No, it only means that it can't be tracked inherently. But if it's tracked by some other means just once, everything you've done is suddenly public.

Re:

[Junta]

You can't have anonymity without hiding the info in practice. In a ledger where *everything* is out in the open, it's pretty much a certainty that there's a transaction that ties a wallet to a human in an obvious way and from that point everything is connected. If you send me crypto for me to ship you a product, then I have your address. Once I use a parcel service, they know who I am because they had to get the parcel from me. Tying humans to wallets in practice is not that difficult for investigators a

Environmental Activism?

[thogard]

At some point a hacker that is feed up with the energy waste or electronic waste or the general stupidity is going to crack one of these digital piggy banks and after pulling all of its loot will break all the keys.

I'm surprised it isn't already happing every day.

Re:

[gweihir]

The volume is just way too small still. But as soon as the other polluters start to fix their ways, CryptoCrap will be annihilated. That may take some time though. The way things are currently going, we probably will exceed 5C and then it does not matter anyways.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[iggymanz]

you really shouldn't make fun of the misfortune of these people and the DeFi

AHAHAHAHAHA! my sides!!! Fucking dumb-asses, hahaha. Thinking begging will get the money back, AHAHAHAA

Re:

[GlennC]

I don't know if "A fool and his money are soon parted" or "There is a sucker born every minute" makes more sense here

I'd say they're both applicable.

It would be even funnier if the hacker simply deleted the coins and they no longer exist.

Re:

[Darinbob]

https://youtu.be/VBkegy4aDvk?t... [youtu.be]

I repeat myself

[quonset]

Another day, another crypto hack [slashdot.org].

"Qubit" Finance... money is there and not there...

[ffkom]

... at the same time, right? Such a stereotypical naming for finance-wannabes. And just like with every other of those "platforms", chances are that "hacks" do not originate from some mysterious foreign party, but are part of the business model.

Re:

[NateFromMich]

... at the same time, right?

It's there until you check the balance of your account.

I'm the haxx0r

[Anonymouse Cowtard]

I'm ready to talk and return 95%. But first I need the 250k. Contact me here.

Ha ha ha!

[fredrated]

Let me repeat that: ha ha ha!

A $80,000,000 hack?!

[Lisandro]

I might be mistaken, but that has to be the most lucrative hack in history.

Man, crypto is a joke.

External Validation

[sudonim2]

Requiring an external actor to maintain the integrity of the blockchain means both that the blockchain is not secure and that it is not decentralized. It means the basic premise of crypto is false. So if crypto isn't a decentralized currency with no outside control, that means that crypto can only be a scam.

As an aside, the reason the thieves accept the bug bounty money instead of the cash they've already stolen (even though it's questionable at best if they even violated any laws) is they ran into the fact that crypto is a scam. All crypto coins are inherently deflationary. The longer you leave your money in coins, the greater the value of those coins over time. This is a terrible attribute for a currency for a variety of reasons that I won't go in to now. But the relevant way this is terrible is that it means any exchange for crypto to real money inherently loses liquidity over time. That means there simply isn't enough dollars, pounds, euros, and francs in the exchange to cover the value of the crypto coins in the exchange. So while this thief stole $50+million of currency, that's only on paper. I'm guessing the actual liquidity available to them is much less than that. It probably would only be comparable to the bug bounty they're being offered.

Re:

[Junta]

Note that while it is true the advocates advocating for it because it 'always goes up!' fail to understand that's what happened in the Great Depression, it's not guaranteed to be deflationary. See the last 3 months for example, where crypto-currency has been quite inflationary. While it's true that more of a particular instance of a crypto-currency can be prevented from creation, the other half, people caring less about that instance of crypto-currency, can of course make the currency inflationary.

So in sh

Re:

[sudonim2]

Inflation/deflation is different than valuation. The valuation of the coins varies wildly and unpredictably. But the structure of the blockchain itself is such that fewer coins are minted over time as the rate of transactions go up. This means the money supply itself is shrinking, inducing deflation no matter what the particular valuation is. That's why it's inherently deflationary. It is designed to be artificially scarce.

Now if the designers actually understood economics, which they clearly didn't, they

Re:

[Junta]

In practice, inflation/deflation is not strictly a function of the number of units of currency, but is intrinsically linked to valuation.. By extension, you can't design the currency to maintain a 1-3% inflation rate, because you also have to factor in a complex universe of realities including international tensions, weather, disease impact, breakthroughs, fads, overall sentiment. The report about 7% inflation is based on CPI, not reports on the money supply.

Sure assuming all those factors are level, then t

Its not really hacking...

[steveb3210]

Anyone willing to pay the gas can call any method implemented by your contract, how is this hacking? Nobody exceeded their access limits..

Re:

[gweihir]

Well, the one that wrote the code clearly is a hack, so there was some hack involved. Not on the side that apparently completely legitimately took the crapcoins though.

Re: Its not really hacking...

[HiddenL]

You can say that about most exploits...

"It's not hacking. They just called a function with an undersized buffer and the code did what its programmed to do..."

"It's not hacking. They just sent a perfectly valid request. Not their fault the code doesn't sanitize inputs..."

With this hack they used an invalid address to exploit the contract code.

Re:

[steveb3210]

The statutes talk about gaining exceeding your authorized access to a computer. Everyone is allowed access to all the functions on contracts on the blockchain, its not your computer anyone is exploiting.

Key takeaway

[Socguy]

The key takeaway from the interview is: We need to be building at scale TODAY, not a decade from now which is what the new designs promise. By then it's too late. The frustrating part is we HAVE the renewable technology to get going but we're lacking political will.

Victims of Crypto Hacks are getting help

[JustineTimeee]

DeFi hacks and cryptocurrency theft is growing like wildfire and even the most secure companies are getting infiltrated. If you have been a victim of these scams or hacks lately you can get help from Express Crypto Back, they specialize in tracking and recovering lost and stolen cryptocurrency.