Crypto outfit Qubit appeals to the honour of thieves who lifted $80M of its digi-dollars

Offers $2 million bug bounty and hopes perps see that record payout, and a clean conscience, as reasons to sacrifice $78m


Another week, another crypto upstart admitting its lax security has been exploited and parties unknown have made off with millions. But this time there's a twist: the crypto upstart has appealed for the return of its assets by appealing to the thieves' consciences.

The crypto concern is Qubit Finance – an outfit that offers decentralized lending and borrowing and operates under the motto "Lend to ascend – Borrow for tomorrow."

Last Friday Qubit admitted one of its protocols had been exploited in unintended ways, with the result that attackers made off with $80 million of crypto assets.

Because the attack used Qubit's protocols, it appears to have left a trace on the blockchain.

The firm's response to the incident is twofold.

One effort aims to help victims by creating a website on which they can download records of their holdings being stolen, for presentation to police. The Register wishes those whose coins were purloined the best of luck when they visit the local constabulary with that documentation.

The other is the offer of a $2 million bug bounty, on the condition the exploiter will return $80 million of stolen coin.

Quick back-of-the-envelope calculation: Qubit is asking the exploiter to forgo $78 million.

In return, the firm is offering the kudos that comes with scoring the equal highest bug bounty known to have been paid for finding flaws, and a chance for the attacker to cleanse their conscience.

Qubit has also tweeted that it has enlisted outside help to track the perpetrator.

Between the threat of security experts on their tail, and the evidence Qubit has found, The Register fancies whoever exploited the protocol may well be weighing the chance to score $2 million of clean bounty cash against the complexities of turning $80 million of marked digi-dollars into something more fungible.

There is precedent for crackers handing back crypto. It happened after the $600 million crypto-heist at Poly Network. But the perps in that case claimed they were pranksters, not thieves.

There's no indication the perpetrators in this case aren't just thieves – a profession not noted for displaying honourable qualities. And $78 million is a lot to lose, especially given that scooping a bounty would not be a risk-free activity. ®


Other stories you might like

  • Cisco warns of security holes in its security appliances
    Bugs potentially useful for rogue insiders, admin account hijackers

    Cisco has alerted customers to another four vulnerabilities in its products, including a high-severity flaw in its email and web security appliances. 

    The networking giant has issued a patch for that bug, tracked as CVE-2022-20664. The flaw is present in the web management interface of Cisco's Secure Email and Web Manager and Email Security Appliance in both the virtual and hardware appliances. Some earlier versions of both products, we note, have reached end of life, and so the manufacturer won't release fixes; it instead told customers to migrate to a newer version and dump the old.

    This bug received a 7.7 out of 10 CVSS severity score, and Cisco noted that its security team is not aware of any in-the-wild exploitation, so far. That said, given the speed of reverse engineering, that day is likely to come. 

    Continue reading
  • Azure issues not adequately fixed for months, complain bug hunters
    Redmond kicks off Patch Tuesday with a months-old flaw fix

    Updated Two security vendors – Orca Security and Tenable – have accused Microsoft of unnecessarily putting customers' data and cloud environments at risk by taking far too long to fix critical vulnerabilities in Azure.

    In a blog published today, Orca Security researcher Tzah Pahima claimed it took Microsoft several months to fully resolve a security flaw in Azure's Synapse Analytics that he discovered in January. 

    And in a separate blog published on Monday, Tenable CEO Amit Yoran called out Redmond for its lack of response to – and transparency around – two other vulnerabilities that could be exploited by anyone using Azure Synapse. 

    Continue reading
  • Inverse Finance stung for $1.2 million via flash loan attack
    Just cryptocurrency things

    A decentralized autonomous organization (DAO) called Inverse Finance has been robbed of cryptocurrency somehow exchangeable for $1.2 million, just two months after being taken for $15.6 million.

    "Inverse Finance’s Frontier money market was subject to an oracle price manipulation incident that resulted in a net loss of $5.83 million in DOLA with the attacker earning a total of $1.2 million," the organization said on Thursday in a post attributed to its Head of Growth "Patb."

    And Inverse Finance would like its funds back. Enumerating the steps the DAO intends to take in response to the incident, Patb said, "First, we encourage the person(s) behind this incident to return the funds to the Inverse Finance DAO in return for a generous bounty."

    Continue reading
  • Never fear, the White House is here to tackle web trolls
    'No one should have to endure abuse just because they are attempting to participate in society'

    A US task force aims to prevent online harassment and abuse, with a specific focus on protecting women, girls and LGBTQI+ individuals.

    In the next 180 days, the White House Task Force to Address Online Harassment and Abuse will, among other things, draft a blueprint on a "whole-of-government approach" to stopping "technology-facilitated, gender-based violence." 

    A year after submitting the blueprint, the group will provide additional recommendations that federal and state agencies, service providers, technology companies, schools and other organisations should take to prevent online harassment, which VP Kamala Harris noted often spills over into physical violence, including self-harm and suicide for victims of cyberstalking as well mass shootings.

    Continue reading
  • Musk repeats threat to end $46.5bn Twitter deal – with lawyers, not just tweets
    Right as Texas AG sticks his oar in

    Elon Musk is prepared to terminate his takeover of Twitter, reiterating his claim that the social media biz is covering up the number of spam and fake bot accounts on the site, lawyers representing the Tesla CEO said on Monday.

    Musk offered to acquire Twitter for $54.20 per share in an all-cash deal worth over $44 billion in April. Twitter's board members resisted his attempt to take the company private but eventually accepted the deal. Musk then sold $8.4 billion worth of his Tesla shares, secured another $7.14 billion from investors to try and collect the $21 billion he promised to front himself. Tesla's stock price has been falling since this saga began while Twitter shares gained and then tailed downward.

    Morgan Stanley, Bank of America, Barclays, and others promised to loan the remaining $25.5 billion from via debt financing. The takeover appeared imminent as rumors swirled over how Musk wanted to make Twitter profitable and take it public again in a future IPO. But the tech billionaire got cold feet and started backing away from the deal last month, claiming it couldn't go forward unless Twitter proved fake accounts make up less than five per cent of all users – a stat Twitter claimed and Musk believes is higher.

    Continue reading
  • Inside the RSAC expo: Buzzword bingo and the bear in the room
    We mingle with the vendors so you don't have to

    RSA Conference Your humble vulture never liked conference expos – even before finding myself on the show floor during a global pandemic. Expo halls are a necessary evil that are predominatly visited to find gifts to bring home to the kids. 

    Do organizations really choose security vendors based on a booth? The whole expo hall idea seems like an outdated business model – for the vendors, anyway. Although the same argument could be made for conferences in general.

    For the most part, all of the executives and security researchers set up shop offsite – either in swanky hotels and shared office space (for the big-wigs) or at charming outdoor chess tables in Yerba Buena Gardens. Many of them said they avoided the expo altogether.

    Continue reading
  • CISA and friends raise alarm on critical flaws in industrial equipment, infrastructure
    Nearly 60 holes found affecting 'more than 30,000' machines worldwide

    Updated Fifty-six vulnerabilities – some deemed critical – have been found in industrial operational technology (OT) systems from ten global manufacturers including Honeywell, Ericsson, Motorola, and Siemens, putting more than 30,000 devices worldwide at risk, according to private security researchers. 

    Some of these vulnerabilities received CVSS severity scores as high as 9.8 out of 10. That is particularly bad, considering these devices are used in critical infrastructure across the oil and gas, chemical, nuclear, power generation and distribution, manufacturing, water treatment and distribution, mining and building and automation industries. 

    The most serious security flaws include remote code execution (RCE) and firmware vulnerabilities. If exploited, these holes could potentially allow miscreants to shut down electrical and water systems, disrupt the food supply, change the ratio of ingredients to result in toxic mixtures, and … OK, you get the idea.

    Continue reading

Biting the hand that feeds IT © 1998–2022