Poly Network Hack - The Largest (Confirmed) Crypto Hack in History
Tech Deep Dives

Poly Network Hack - The Largest (Confirmed) Crypto Hack in History

2 years ago

The story of the most bizarre crypto hack where the hacker's only motive was to improve the network security and keep the investors safe. Read more!

Poly Network Hack - The Largest (Confirmed) Crypto Hack in History

Tabla de contenidos

Despite‌ ‌being‌ ‌regarded‌ ‌as‌ ‌secure‌ ‌and‌ ‌immutable,‌ ‌blockchain‌ ‌systems‌ ‌are‌ ‌subject‌ ‌to‌ ‌an increasing‌ ‌number‌ ‌of‌ ‌cyber-attack.‌ ‌This‌ ‌has‌ ‌posed‌ ‌a‌ ‌question‌ ‌on‌ ‌the‌ ‌security‌ ‌offered‌ ‌by‌ ‌centralized exchanges and crypto projects. ‌ ‌Unlike‌ ‌other‌ ‌types‌ ‌of‌ ‌hacking,‌ ‌crypto‌ ‌hacks‌ ‌are usually done by either ‌‘’white‌ ‌attackers’’‌ ‌or‌ ‌‘’grey‌ ‌attackers’’.‌ ‌The‌ ‌former‌ ‌have‌ ‌no‌ ‌monetary‌ ‌interest‌ ‌and‌ ‌simply‌ ‌hack‌ ‌to‌ ‌expose‌ ‌security‌ ‌flaws.‌ ‌Grey‌ ‌attacks‌ ‌have‌ ‌no‌ ‌intention‌ ‌of‌ ‌causing‌ ‌financial‌ ‌harm,‌ ‌but‌ ‌the‌ ‌motives‌ ‌remain‌ ‌unclear. ‌ ‌

What Is the Poly Network Hack?

The latest and largest crypto scam was executed on the cross-chain platform, Poly Network. The China-based platform allows multiple blockchain interactions and offers:
  1. A separate wallet for several blockchain projects it caters to, such as Ethereum, Bitcoin, and NEO.
  2. Smart contracts that allow users to swap native tokens of the aforementioned platforms and more.
  3. The Poly Network platform where the smart contracts operate.

One of the smart contracts of the network was attacked by a hacker. This resulted in a transfer of $612 million worth of ETH, USDT, and NEO to multiple proxy wallets.

When Did It Happen?

The transfer of tokens took place on 10th August 2021 on the decentralized-finance site (DeFi). The endorsed course of action should be the transfer of the hacked funds to an anonymous decentralized exchange. Poly Network requested projects to blacklist the hacked funds to render them useless to the hacker. Tether responded by freezing $33 million worth of USDT.

Poly Network communicated with the attacker directly, requesting him to return the funds. The platform admitted to having noticed the loophole in their security and even offered to appoint the hacker as their “Chief Security Officer.’’ Some investors and the company itself put a price tag on the return of the funds by the attacker. It was useless, as the attacker messaged:

“You don't know me. Money means little to me, some people are paid to hack, I would rather pay for the fun. I am considering taking the bounty as a bonus for public hackers if they can hack the Poly Network. (They can win double if they feel the current plan is awkward). If the Poly don't give the imaginary bounty, as everybody expects, I have well enough budget to let the show go on. Just some funny thoughts but I may probably make them come true. If you are still confused, ask some richer friends, what is money for? I trust some of their code, I would praise the overall design of the project, but I never trust the whole poly team. My only guilt was triggered from the refugees. All of my actions were determined since I made the final decision to be eternal. I am a little bit surprised that you call them professional negotiators, just look at their tense and repetitive words. If the Poly really got my initial idea, they could be less embarrassed. I published their request so that they got the chance to be a winner. Who do you think is dominating the game?”

On Aug. 11, the hacker initiated the return, stating that he felt sorry for the victims.

Initially reluctant to refund, the hacker ultimately made multiple returns to the wallet set up by Poly Network on the condition that the frozen USDTs would be released. The platform promised to repair the loophole that was exploited as part of its “mainnet upgrade.”

Poly Network offered a bug bounty of $500,000 to the hacker together with the promises of no legal repercussions. The hacker, however, said that the money will be distributed amongst the affected traders.

Post-Mortem of the Hack

Investigation into the attack revealed a loophole in the operation between two Poly contracts: EthCrossChainManager and EthCrossChainData. The EthCrossChainData is an owner-limited contract that cannot be accessed by anyone else. By gaining access to it, the hacker was able to move large volumes of funds to multiple wallets at the same time by replacing the Keeper’s key with their own. The hacker triggered the EthCrossChainManager to allow interchain transactions between the Poly Network and the Ethereum network.

EthCrossChainManager governs the EthCrossChainData. The former is also a type of high-privileged contract that can execute cross-chain transactions. By targeting the EthCrossChainData, the attacker was able to replace the Keeper’s key in the EthCrossChainData with their own. It granted the attacker the Keeper status for multiple wallets, including Ethereum, Binance, Neo, and Tether. All tokens were channeled into the attacker’s secret wallet.

Kelvin Fitcher tweeted about the fiasco:

‘’One of the biggest design lessons that people need to take away from this is: if you have cross-chain relay contracts like this, MAKE SURE THAT THEY CAN'T BE USED TO CALL SPECIAL CONTRACTS. The EthCrossDomainManager shouldn't have owned the EthCrossDomainData contract'’.

Impact on the Crypto Community

The aftermath of the hack was that Poly Network acknowledged its security loophole. It also reinforced the idea that blockchain is not synonymous with security. The threat in crypto is more or less the same as in real-world transactions.

DeversiFi CTO Konrad Strachan commented that the hack exposed an Ethereum 'library defect’ that made the blockchain vulnerable. Additional security layers were consequently added in an attempt to enhance security.

Other Noteworthy Crypto Hacks

The history of the cryptocurrency and blockchain industry is full of hacks and scams that offer valuable lessons to users and developers. Some of these include:

In Conclusion,

Attacks bring to the forefront changes needed in coding for secure transactions. Involvement of all stakeholders to ensure foolproof trading is the prerequisite for avoiding crypto scams and hacks. Greater regulation by the government is being considered as a measure to make blockchains secure. It may create barriers for investors but will increase security. Improved blockchain forensic tools for analyzing, bug-spotting, and hack recognition can ensure recovery and compensation following similar attacks.
This article contains links to third-party websites or other content for information purposes only (“Third-Party Sites”). The Third-Party Sites are not under the control of CoinMarketCap, and CoinMarketCap is not responsible for the content of any Third-Party Site, including without limitation any link contained in a Third-Party Site, or any changes or updates to a Third-Party Site. CoinMarketCap is providing these links to you only as a convenience, and the inclusion of any link does not imply endorsement, approval or recommendation by CoinMarketCap of the site or any association with its operators. This article is intended to be used and must be used for informational purposes only. It is important to do your own research and analysis before making any material decisions related to any of the products or services described. This article is not intended as, and shall not be construed as, financial advice. The views and opinions expressed in this article are the author’s [company’s] own and do not necessarily reflect those of CoinMarketCap. CoinMarketCap is not responsible for the success or authenticity of any project, we aim to act as a neutral informational resource for end-users.
1 person liked this article