Crypto outfit Qubit appeals to the honour of thieves who lifted $80M of its digi-dollars
Offers $2 million bug bounty and hopes perps see that record payout, and a clean conscience, as reasons to sacrifice $78m
Another week, another crypto upstart admitting its lax security has been exploited and parties unknown have made off with millions. But this time there's a twist: the crypto upstart has appealed for the return of its assets by appealing to the thieves' consciences.
The crypto concern is Qubit Finance – an outfit that offers decentralized lending and borrowing and operates under the motto "Lend to ascend – Borrow for tomorrow."
Last Friday Qubit admitted one of its protocols had been exploited in unintended ways, with the result that attackers made off with $80 million of crypto assets.
Because the attack used Qubit's protocols, it appears to have left a trace on the blockchain.
The protocol was exploited by;— Qubit Finance (@QubitFin) January 28, 2022
The hacker minted unlimited xETH to borrow on BSC.
The team is currently working with security and network partners on next steps.
We will share further updates when available.
The firm's response to the incident is twofold.
One effort aims to help victims by creating a website on which they can download records of their holdings being stolen, for presentation to police. The Register wishes those whose coins were purloined the best of luck when they visit the local constabulary with that documentation.
The other is the offer of a $2 million bug bounty, on the condition the exploiter will return $80 million of stolen coin.
Quick back-of-the-envelope calculation: Qubit is asking the exploiter to forgo $78 million.
- Carked it, Diem? Zuckerberg's grand cryptocurrency thing may sell off assets for $200m
- Indonesia bars financial institutions from offering crypto services
- Russia's Putin out the idea of a broad cryptocurrency ban
- Crypto.com now says someone tried to drain $34m from hundreds of accounts
In return, the firm is offering the kudos that comes with scoring the equal highest bug bounty known to have been paid for finding flaws, and a chance for the attacker to cleanse their conscience.
We'd like to offer the exploiter the highest bounty in history.— Qubit Finance (@QubitFin) January 30, 2022
Let's retweet this! pic.twitter.com/eQ0iUOaxiy
Qubit has also tweeted that it has enlisted outside help to track the perpetrator.
Between the threat of security experts on their tail, and the evidence Qubit has found, The Register fancies whoever exploited the protocol may well be weighing the chance to score $2 million of clean bounty cash against the complexities of turning $80 million of marked digi-dollars into something more fungible.
There is precedent for crackers handing back crypto. It happened after the $600 million crypto-heist at Poly Network. But the perps in that case claimed they were pranksters, not thieves.
There's no indication the perpetrators in this case aren't just thieves – a profession not noted for displaying honourable qualities. And $78 million is a lot to lose, especially given that scooping a bounty would not be a risk-free activity. ®
- Black Hat
- Common Vulnerability Scoring System
- Cybersecurity and Infrastructure Security Agency
- Cybersecurity Information Sharing Act
- Data Breach
- Data Protection
- Data Theft
- Digital certificate
- Identity Theft
- Kenna Security
- Palo Alto Networks
- Trusted Platform Module
- Zero trust