Qubit Finance: Zero-Address safeTransferFrom Logic Bug (Cross-Chain Bridge Deposit)
Qubit Finance lost $80M when attackers called a deprecated bridge deposit function with a zero-address token, silently "depositing" nothing on Ethereum while minting $185M in collateral on BSC.
Summary #
Qubit Finance suffered a Cross-Chain Lending / Bridge on 2022-01-28, resulting in a loss of approximately $80M.
What happened #
Qubit Finance lost $80M when attackers called a deprecated bridge deposit function with a zero-address token, silently "depositing" nothing on Ethereum while minting $185M in collateral on BSC.
Linked factors #
- RD-F-008 — illustrative : Bug survived review (RD-F-008 = ignored disclosure; closest semantic match for audit-missed-bug) [via dashboard_risk_factors/Vulnerability in audited or unaudited code: In audited code — but the audit missed the dead-code / zero-address safeTransferFrom interaction]
- RD-F-090 — illustrative : Mixer withdrawal → protocol interaction [via realtime_signals/Pre-exploit on-chain signals: Tornado Cash funding of attacker address shortly before exploit]
- RD-F-126 — causal : Is-a-fork-of (Cat 8 anchor) [via dashboard_risk_factors/Forked?: Y — BSC lending protocol; Compound-adjacent architecture]
- RD-F-127 — related : Upstream Compound has patches that may not be merged here [via dashboard_risk_factors/Forked?: Y — BSC lending protocol; Compound-adjacent architecture]