Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Qubit Finance is a money market platform for lenders and borrowers. This functionality includes a Ethereum - BSC bridge (blockchain connector). In the case of Qubit Finance’s bridge, you deposit your ERC-20 tokens to the bridge and receive BEP-20 tokens in return.

The function safeTransferFrom is used to send tokens from the depositor and into the contract. When doing this, the user needs to provide an ERC20 token address.

When passing in this address, the contract attempts to use transferFrom to remove funds of the user to put into the contract. Then, on the other blockchain, the user gets newly minted tokens. However, if no code was at this address, the transfer of funds would never occur but the minting would still take place.

When no code exists at an address, the call return successfully. This is a weird quirk of this language! The attacker entered in 0 as the address. By using the attack over and over again, an infinite amount of qXETH could be minted. This drained an estimated $80 million from the protocol

This was a simple case of bad error handling and bad input validation. The usage of a custom ERC20 library, instead of the OpenZepplin, caused them issues as well. It is very strange how the address returns a success when there is no code there. An additional link can be found at here