On August 10, the interoperability protocol Poly Network experienced what unfolded to be the largest hack in DeFi history. Attacking the Poly Network on Ethereum, Binance Smart Chain, and Polygon chains, a hacker managed to make off with more than $600 million worth of digital assets.
While the network initially claimed that the hacker exploited a vulnerability between contract calls, a number of analysts have denounced that the network’s poor security practices might have led to the theft of private keys. Instead, popular theories focus on gaining access to Poly Network’s keepers.
Meanwhile, the hacker has returned a portion of the stolen funds and has shown intent to return them all. As of press time, the situation continues to develop.
Poly Network Exploitation Explained
Poly Network, a cross-chain interoperability protocol that is used to swap tokens across numerous blockchains, was exploited for a record $600 million. The hacker exploited the network across three decentralized finances (DeFi) exchanges, including Ethereum, Binance Smart Chain, and Polygon.
The attacker managed to steal more than $250 million from Binance Smart Chain, over $85 million in USDC from the Polygon network, and approximately $270 million from the Ethereum network. Following the hack, Tether froze around $33 million in USDT linked to the hacker’s address.
. @Tether_to just froze ~33M $USDt on 0xC8a65Fadf0e0dDAf421F28FEAb69Bf6E2E589963 as part of the #PolyNetwork hack https://t.co/EviPTAkQJD
— Paolo Ardoino (@paoloardoino) August 10, 2021
Poly Network took to Twitter to announce the bad news. In the early stages, the network urged miners to blacklist tokens coming from the attacker’s addresses. The network also asserted that they will take legal actions and requested the hacker to return all the stolen assets.
Chinese cybersecurity firm SlowMist asserted that it has audited the hack and has “grasped the attacker’s mailbox, IP, and device fingerprints.” SlowMist also pointed out that they are tracking the possibility that an insider from Poly Network might have assisted the hacker as it was “a long-planned, organized and prepared attack.”
2)The SlowMist security team has grasped the attacker’s mailbox, IP, and device fingerprints through on-chain and off-chain tracking, and is tracking possible identity clues related to the Poly Network attacker.
— SlowMist (@SlowMist_Team) August 10, 2021
Poly Network Hacker is ‘Ready To Return The Funds’
The Poly Network exploiter has shown intent to return the stolen digital assets. The hacker has already paid more than $5 million to the addresses provided by the Poly Network itself.
At around 4:00 am UTC on August 11, the hacker sent an Ethereum transaction to itself, stating:
“READY TO RETURN THE FUND !”
Subsequently, the attacker asked for a secured multi-sig wallet to return all the funds. “Failed to contact the poly. I need a secured multisig wallet from you,” the hacker embedded the message in a transaction.
At around 8 am UTC, the hacker commenced returning stolen funds in USDC on the Polygon blockchain, sending 10, 10,000, and 1 million, respectively. Since then, the hacker has transferred $1.1 million in BTCB, $2 million in SHIBA tokens, and $600,000 in FEI, a stablecoin by Fei Labs.
A number of reasons could have contributed to pushing the hacker into returning the stolen funds, the most notable ones include:
- Tether froze around $33 million of the funds
- Poly Network urged miners to blacklist stolen tokens
- Some prominent cybersecurity firms were supposedly tracking the hacker
- Executives at Binance, OKEx, and Huobi promised to help
The fact that all bodies involved in the industry attempted their best to reverse the theft was quite promising as DeFi hacks continue to burden the industry. In 2020, DeFi hacks totaled $154 million. However, BSC-based protocols alone were exploited for a whopping $370 million in the first half of 2021.
Five Minute Finance
One email, every Friday – everything that matters in the new era of finance.
Awesome!
You’ve subscribed.
You’re well on your way
to being in the know.
How was Poly Network Hacked?
Poly Network initially claimed that the hacker exploited a vulnerability between contract calls. However, some security auditors and researchers claimed that the network’s poor security practices might have led to the theft of transactions authorizing private keys.
Mikko Ohtamaa, with over 25 years of experience in the software development industry, said that the hacker managed to replace the four Poly Network keepers—servers that move messages between the blockchains—with the attacker him/herself. This way, the hacker became the sole authorizer of all transactions and managed to steal the funds.
Ohtamaa is not alone in this viewpoint, as some other industry experts also think so. Another blockchain developer explained all of the hacker’s steps in a long Twitter thread, calling it “genius.”
An Ethereum developer, Mudit Gupta, also believes the hacker got a hold of the keepers and rejects the vulnerability in contract calls as a cause for the hack. He explored the recent hack in great detail in his blog, saying:
“Once the keeper was in the attacker’s control, the attacker could do arbitrary cross-chain transactions on the destination blockchains even if no such transaction took place on the source blockchain.”
If all the stolen assets are recovered, what would this mean for DeFi? Let us know what you think in the comments below.
The post The Largest Hack in DeFi’s History: How It May Have Happened appeared first on The Tokenist.
