The hacker called `deposit()` in the QBridge #eth contract w/o really making any deposit and emitted the Deposit event
The exploit was caused by `tokenAddress.safeTransferFrom` in QBridgeHandler.sol which didn't revert the tx when the tokenAddress is the 0x0.
2. The Ethereum QBridge captured the Deposit event and minted $qXETH for the hacker on #BSC.
The QBridge treats the Deposit event as an event of depositing #ETH because the `deposit` and `depositETH` methods in the #QBridge contract emit the same event.
3. The hacker repeated steps 1 & 2 to gain a large amount of $qXETH. Lastly, the hacker converted all the assets to $BNB and the profit is around $80M.