Poly Network Attack Reveals DeFi Flaws: Details of the Biggest Hack in History
Not so long ago, the cryptocurrency society was stirred up by the shocking news of the Poly Network hack, which has already been dubbed the largest not only in the decentralized finance (DeFi) network but in the entire history of the crypto industry.
The hacker, whose identity is still unknown, exploited a vulnerability in the cross-chain, the digital structure protocol of the Poly Network, and was able to steal $611 million in various cryptocurrencies from three different blockchains.
In total, roughly $273 million from the Ethereum network, $85 million in coins (USDC) from the Polygon network, and $253 million from the Binance Smart Chain were stolen, according to the Poly Network.
How did you manage to hack Poly Network?
According to Anton Bukov, co-founder of the DeFi 1inch Network aggregator, the hacker succeeded in this because he was able to detect a malfunction in one of the Poly Network subsystems, designed to forward user smart contract interactions between different blockchains.
He explained that the hacker first linked bogus transactions in one chain, and then entered into a system contract with another chain. And transferred the ownership of the asset repository to the public key.
Thus, the mistake of the developers and auditors of Poly Network, who overlooked or ignored a vulnerability that allows multiple arbitrary users calls through a privileged smart contract, cost a pretty penny.
John Jeffries, the chief financial analyst at CipherTrace, told Cointelegraph that this hack differs from all previous attacks not only in scale but also in the way it was hacked.
According to him, the hacker was able to find a vulnerability that allowed him to bypass the private key system and force the smart contract to send funds to itself.
“Perhaps at some point, the hacker reused the wallet, with previous transactions already recorded with some well-known exchanges that could identify KYC information about it,” Jeffreys added.
In addition, Jeffries doubts that the hacker originally intended to return the money, since in that case, he would not try to hide the trail of the stolen funds.
Although, if this attack was not ordered by Poly Network to verify the reliability of systems, such actions are illegal activities for which you will have to be criminally responsible. Therefore, it is not surprising that the hacker took every possible precaution.
Shortly after the hack, the hacker, using embedded messages in Ethereum transactions, said that the Poly Network was chosen for the attack due to the fact that cross-chain hacking is very popular nowadays. And the attack itself took a long time to prepare since it took time to study the weaknesses of the system and find the necessary loophole.
The hacker said he never intended to embezzle the stolen $611 million. His goal was to expose the network vulnerability to users before the Poly Network developers could secretly fix it.
He considered it safer not to inform the team about the error, because he was not sure that his discovery would not be used by traitors to the company to steal funds that are unlikely to be returned by anyone.
“I can’t trust anyone! This was the only solution I could come up with,” the hacker explained.
All stolen money has been returned!
On Thursday, August 12, Poly Network announced that all the stolen $611 million was returned by the hacker to a special multi-signature wallet. Except, of course, $33 million worth of Tether (USDT) tokens, which were frozen immediately after news about the attack.
First, the hacker returned some of the stolen funds to the DeFi Internet Protocol. According to CipherTrace, over $265 million was returned to Poly Network in the form of $1 million in US dollars; $256.2 million in BTCB and BUSD; $2.637 million in Binance Coin (BNB) and $3.4 million in Shiba Inu (SHIB), renBTC and Fei.
According to the hacker himself, the purpose of the entire attack was to teach Poly Network an expensive lesson on security, and he wanted to return the money initially.
However, Tom Robinson, chief scientist at the analytical company Elliptic, believes that in fact, it was extremely difficult for a hacker to launder or cash out stolen assets due to the transparency of the blockchain.
After clarifying all the circumstances of the hacking and the return of the stolen money, a spokesman for Poly Network announced that the company was ready to offer the individual — whom the company dubbed “Mr. White Hat,” — a $500,000 bounty. But the hacker politely declined the offer.
Now, when all the money has been returned, the vulnerability of the network has been identified and, perhaps, even already fixed by the developers of Poly Network, society is most interested in the personality of the eccentric “benefactor”, which still remains a mystery.
However, this may soon be cleared up, as the Chinese cybersecurity company SlowMist announced that it was able to identify the email address, IP address and device fingerprint of the hacker who attacked the Poly Network.
Hopefully in the future the security protocols of DeFi and other systems will be worked out and tested better.