SlowMist analyzed the January 2022 Qubit Finance exploit, which caused roughly $80 million in losses through QBridge. The attacker supplied the resourceID for cross-chain ETH but called the ordinary token deposit path rather than depositETH, bypassing the intended msg.value check. Because the handler accepted the whitelisted ETH resource while the token address was the zero address, a safeTransferFrom call to an address with no code returned successfully and triggered the bridge deposit event. QBridge then treated the transaction as a valid ETH cross-chain deposit, minted large amounts of qXETH on BSC, and enabled the attacker to use that qXETH as collateral against Qubit’s lending pool. The source identifies the root cause as missing native-token validation after whitelist checks and recommends explicitly checking whether deposited tokens are native assets.