Another week, another crypto upstart admitting its lax security has been exploited and parties unknown have made off with millions. But this time there’s a twist: the crypto upstart has appealed for the return of its assets by appealing to the thieves’ consciences.
The crypto concern is Qubit Finance – an outfit that offers decentralized lending and borrowing and operates under the motto “Lend to ascend – Borrow for tomorrow.”
Last Friday Qubit admitted one of its protocols had been exploited in unintended ways, with the result that attackers made off with $80 million of crypto assets.
Because the attack used Qubit’s protocols, it appears to have left a trace on the blockchain.
The protocol was exploited by;
0xd01ae1a708614948b2b5e0b7ab5be6afa01325c7
The hacker minted unlimited xETH to borrow on BSC.
The team is currently working with security and network partners on next steps.
We will share further updates when available.— Qubit Finance (@QubitFin) January 28, 2022
The firm’s response to the incident is twofold.
One effort aims to help victims by creating a website on which they can download records of their holdings being stolen, for presentation to police. The Register wishes those whose coins were purloined the best of luck when they visit the local constabulary with that documentation.
The other is the offer of a $2 million bug bounty, on the condition the exploiter will return $80 million of stolen coin.
Quick back-of-the-envelope calculation: Qubit is asking the exploiter to forgo $78 million.
In return, the firm is offering the kudos that comes with scoring the equal highest bug bounty known to have been paid for finding flaws, and a chance for the attacker to cleanse their conscience.
We’d like to offer the exploiter the highest bounty in history.
Let’s retweet this! pic.twitter.com/eQ0iUOaxiy— Qubit Finance (@QubitFin) January 30, 2022
Qubit has also tweeted that it has enlisted outside help to track the perpetrator.
Between the threat of security experts on their tail, and the evidence Qubit has found, The Register fancies whoever exploited the protocol may well be weighing the chance to score $2 million of clean bounty cash against the complexities of turning $80 million of marked digi-dollars into something more fungible.
There is precedent for crackers handing back crypto. It happened after the $600 million crypto-heist at Poly Network. But the perps in that case claimed they were pranksters, not thieves.
There’s no indication the perpetrators in this case aren’t just thieves – a profession not noted for displaying honourable qualities. And $78 million is a lot to lose, especially given that scooping a bounty would not be a risk-free activity. ®