Skip to main content

A decentralized lending platform that lost $80 million to hackers offered them an astonishing multi-million dollar bug bounty in exchange for the stolen funds.

Qubit Finance revealed late last week that an attacker had exploited a vulnerability in its QBridge deposit function.

In doing so, they managed to get away with a large amount of Ethereum, which they converted into Binance coins worth tens of millions of dollars. Indeed, they were able to exploit an error in Qubit Finance’s code to withdraw Binance tokens without depositing Ethereum.

The company pleaded with their attacker to return the funds, addressing them on Twitter as “dear exploiter”.

“We suggest that you negotiate directly with us before taking any other action”, he wrote on friday. “Exploitation and loss of funds is having a profound effect on thousands of real people. If the maximum bounty now is what you are looking for, we are open to a conversation. Let’s find a solution.

A follow-up note confirmed that the company would offer a “maximum” bug bounty and would not seek to press charges if the attacker returned the funds.

Subsequent posts over the weekend then increased that “maximum” bounty to $1 million, and then on Sunday to $2 million.

It’s unclear if the tactic was simply to buy EXTRA time for investigators or if the company was genuinely prepared to hand out a hefty bug bounty to a cybercriminal.

A new post posted a few hours ago revealed that the company is working on a new site that will allow affected users to access their digital wallets to deposit dealings with the local police. However, they have little hope of getting their money back unless the cyber thieves decide to cooperate with Qubit Finance.

A report from Chainalysis last week claimed that decentralized finance (DeFi) protocols were the most attacked last year, losing over $2 billion.