Qubit’s second exploit report explains that QBridge contracts were deployed in late November 2021, audited in December, and then upgraded to add direct ETH deposits instead of WETH. The team says the obsolete deposit function unintentionally remained after the depositETH upgrade, while setResource used the zero address so executeProposal could handle native ETH withdrawals. Qubit states that the issue was outside the reviewed depositETH focus, was missed during internal review, and became the condition exploited on January 28, 2022; the report disputes claims that the zero-address setting was malicious.