original source: https://mp.weixin.qq.com/s/-kTsAs2WH5_4N4_3-XIxag
On 2022-01-28, we all know that Qubit Finance was hacked once gain. As it has already been hacked three times, wtf. Following the lead by Qubit Finance Tweeter, we found the attacker address:
https://bscscan.com/address/0xd01ae1a708614948b2b5e0b7ab5be6afa01325c7
As we have the address now, lets start analysis what’s behind.
Analysis and Reasoning:
First, lets check what transactions are there sent by hacker:
Checking all these transactions on by one, we found that the attacker had not prepare any money or deploy any contracts for the attack. Instead, he called “borrow” function at first. This is somehow very strange, as it could only come from two reasons. One is, he could use “borrow” to get all the assets. The other is, this is not the first crime scene. In order to figure this out, lets check what is this “borrow”:
Clearly, this “borrow” function is organized in the common “Compund” architecture, where we should first have collaterals. At line 239, we have also found related checks in function “borrowAllowed
". This leads us to the conclusion that this line is not the direct cause. In case if the logic of borrow is correct, the hacker use the money from the first crime scene as collaterals to borrow. But where is actually hackers money from? With this question, lets dig futher about how the hack move his tokens.